News

LXD 5.1 has been released

28th of April 2022

Introduction

The LXD team is very excited to announce the release of LXD 5.1!

This release comes with a lot of bugfixes following the LXD 5.0 LTS releases, all of which will also be in the upcoming LXD 5.0.1 LTS bugfix release. But don't worry, there are also a handful of new features.

Enjoy!

New features and highlights

Sysinfo system call interception

A new security.syscalls.intercept.sysinfo option has been added which when enabled will cause LXD to intercept the sysinfo system call and emulate it.

This allows for values that would normally reflect the entire physical system to be replaced by values that properly reflect the container.

Depending on what software is used inside of the container, enabling this may result in better service configuration to respect the container's limits.

stgraber@dakara:~$ lxc launch images:alpine/edge a1 -c limits.memory=1GiB
Creating a1
Starting a1
stgraber@dakara:~$ lxc exec a1 -- free -m
              total        used        free      shared  buff/cache   available
Mem:          63600       57777        5792        1572          31        1022
Swap:          2048           8        2040
stgraber@dakara:~$ lxc config set a1 security.syscalls.intercept.sysinfo=true
stgraber@dakara:~$ lxc restart a1
stgraber@dakara:~$ lxc exec a1 -- free -m
              total        used        free      shared  buff/cache   available
Mem:           1024           2        1020           0           3        1022
Swap:             0           0           0
stgraber@dakara:~$

lxc cluster role sub-command

To help scripting the addition and removal of cluster member roles, a new lxc cluster role sub-command was added.

  stgraber@castiana:~$ lxc cluster role add celestis ovn-chassis
  stgraber@castiana:~$ lxc cluster role remove celestis ovn-chassis

lxc storage volume info shows volume total size

The lxc storage volume info command now shows both the Used size and the Total volume size when this one is known.

stgraber@dakara:~$ lxc storage volume create default foo size=5GiB
Storage volume foo created
stgraber@dakara:~$ lxc storage volume info default foo
Name: foo
Type: custom
Content type: filesystem
Usage: 192.00KiB
Total: 5.00GiB

Configurable host network interface naming pattern

A new instances.nic.host_name server configuration key allows changing the pattern used when creating new host side network interfaces.

By default LXD uses a random pattern which leads to interface names like vethXYZ or tapXYZ where XYZ is a completely random string of characters. This however does not make it very easy to track down a particular instance from the network name.

As an alternative, the new configuration option can now be set to mac which will lead to interface names including the most important part of the MAC address after a lxd prefix.

stgraber@dakara:~$ lxc launch images:alpine/edge a1
Creating a1
Starting a1
stgraber@dakara:~$ lxc info a1 | grep "Host interface"
      Host interface: veth0c1f893c
stgraber@dakara:~$ lxc config set instances.nic.host_name mac
stgraber@dakara:~$ lxc restart a1
stgraber@dakara:~$ lxc info a1 | grep "Host interface"
      Host interface: lxd163ecf0121

Overrideable evacuation mode

When evacuating a cluster member, LXD looks at the cluster.evacuate configuration key to determine what to do with each individual instance. This works great for normal cluster evacuations, but there are situations, such as wanting to shutdown an entire cluster, where one may want to override that action.

It's now possible with lxc cluster evacuate --action=stop which in this case will stop all instances regardless of their configuration. Do this on all of your cluster members and you'll be ready to shutdown your entire cluster. Once back up, use lxc cluster restore and the instances will start back up.

Setting profiles during an image copy

For quite a while now, LXD has supported assigning a list of profiles to a particular image such that any new instance created from the image would get those profiles applied (unless specifically overridden by the user).

Until now, this had to be setup through lxc image edit after the image was added to the image store.

This release now adds a new --profile flag to lxc image copy allowing for profiles to be added directly at image copy time.

stgraber@dakara:~$ lxc profile create foo
Profile foo created
stgraber@dakara:~$ lxc profile create bar
Profile bar created
stgraber@dakara:~$ lxc image copy images:alpine/edge local: --alias alpine --profile default --profile foo --profile bar
Image copied successfully!
stgraber@dakara:~$ lxc launch alpine a1
Creating a1
Starting a1
stgraber@dakara:~$ lxc config show a1
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Alpine edge amd64 (20220427_13:00)
  image.os: Alpine
  image.release: edge
  image.requirements.secureboot: "false"
  image.serial: "20220427_13:00"
  image.type: squashfs
  image.variant: default
  volatile.base_image: d263389bb3f9298a7de94cb11c1b44b12dcc7191be3aca245ae2f7cdf380be02
  volatile.cloud-init.instance-id: b7b2e897-231c-4a7a-852d-b0dc1e8945f6
  volatile.eth0.host_name: veth129b577b
  volatile.eth0.hwaddr: 00:16:3e:af:81:98
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: cd2edd5b-4d22-4222-8de4-1e7b5304fb22
devices: {}
ephemeral: false
profiles:
- bar
- default
- foo
stateful: false
description: ""

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • doc: move networking content to new files
  • doc: add new files to the networking docs
  • doc: move network-peers
  • doc: move network-acls
  • doc: move network-forwards
  • doc: move network-zones
  • doc: clean up headings for networking section
  • doc: update and add content for networking
  • doc: add links to network_ovn_peers
  • doc: add links to network_zones
  • doc: add links to network_forwards
  • doc: add links to network_acls
  • doc: general cleanup
  • doc: general cleanup network_acls
  • doc: general cleanup network_forwards
  • doc: general cleanup network_zones
  • lxd/storage/btrfs: Fix usage nested
  • lxd/instance/qemu: Fix bad topoext logic
  • lxc: Fix typo in notes
  • lxd/networks: Removes references to nodes in user facing errors
  • lxd/networks: Clone per-node config on networksPostCluster
  • lxd/storage/pools: Removes references to nodes in user facing errors
  • lxd/db/storage/pools: Renames StoragePoolNodeConfigKeys to NodeSpecificStorageConfig
  • lxd: db.NodeSpecificStorageConfig usage
  • lxd/cluster/config: Remove legacy server level storage settings defaults
  • lxd/cluster/config: Remove deprecatedStorage
  • lxd/storage/utils: Removes ValidName
  • lxd/storage/pool/interface: Adds Type interface
  • lxd/storage/pool/load: Adds LoadByType function
  • lxd/storage/backend/mock: Adds ValidateName function
  • lxd/storage/backend/lxd: Adds ValidateName function
  • lxd/storage/utils: Improve validation of rsync.bwlimit
  • lxd/storage/backend/lxd: Validate earlier in Create
  • lxd/storage/pools/utils: Updates storagePoolValidate to use poolType.ValidateName
  • lxd/storage/volumes/snapshot: Updates storagePoolVolumeSnapshotsTypePost to use pool.ValidateName
  • lxd/storage/utils: Unexport some variables now unused outside of storage package
  • lxd/storage/pool/interface: Adds Validate signature
  • lxd/storage/backend/lxd: Adds Validate function
  • lxd/storage/backend/mock: Adds Validate function
  • lxd/storage/backend/lxd: Call b.ValidateName in Create
  • lxd/storage: size is not a common pool option
  • lxd/storage/drivers/driver/common: Removes pool name from validatePool errors
  • lxd/storage/pools: Don't call storagePoolValidate from storagePoolsPostCluster
  • lxd/storage/pools: Call pool.Validate directly in doStoragePoolUpdate
  • lxd/storage/pools/utils: Call poolType.Validate in storagePoolValidate
  • lxd/storage/pools/config: Remove legacy storagePoolConfigKeys and storagePoolValidateConfig
  • lxd/storage/pools: Clone per-node config in storagePoolsPostCluster
  • lxd/storage/pools/utils: Whitespace in storagePoolDBCreate
  • lxd/storage/pools/utils: Expand arg types to storagePoolDBCreate
  • lxd/storage/pools/utils: Use revert in storagePoolCreateGlobal
  • lxd/storage/pools/config: Remove file
  • lxd/storage/pools/utils: Removes call to storagePoolFillDefault in storagePoolDBCreate
  • lxd/storage/pools/utils: Rely on pool.Create to fill default pool config in storagePoolCreateLocal
  • lxd/storage/drivers/utils: Adds loopFileSizeDefault function
  • lxd/storage/drivers: Generate per-node loop file size from loopFileSizeDefault in Create
  • lxd/storage/drivers/driver/lvm/utils: Adds lvmThinpoolDefaultName constant
  • lxd/storage/drivers/driver/lvm: Populate lvm.thinpool_name if not specified in Create
  • lxd/storage/utils: Removes unused functions and variables
  • lxd/storage/pool/load: Removes unused CreatePool function
  • lxd: Fix typo in notes
  • doc/rest-api: Refresh swagger YAML
  • shared: Adds method to remove elements from a slice.
  • lxc: Adds cluster role / commands.
  • i18n: Update translation templates.
  • test: Removes cluster edit where possible.
  • lxd/db/generate/db/method/v2: Add V2 method generation
  • lxd/db/certificate/projects.mapper: Update generated code
  • lxd/db/certificates: Remove Projects from db Certificate struct
  • lxd/db/certificates.mapper: Update generated code
  • lxd/db: Use ClusterTx with ToAPI for filling reference fields
  • lxd/db/certificates: Pass projects into create/update helpers
  • lxd/db/certificates: Transition to using ClusterTx
  • lxd/events: Use ClusterTx instead of opening new transactions
  • lxd/certificates: Open fewer txes, use API structs for all fields
  • lxd/api/cluster: Update cert projects manually
  • lxd/instance/drivers/qemu: Add serial key to device
  • shared: Add SplitNTrimSpace
  • lxc: Move to shared.SplitNTrimSpace
  • lxd: Move to shared.SplitNTrimSpace
  • lxd/util: Remove SplitNTrimSpace
  • lxd/cluster: Don't overwrite original volatile.evacuate.origin
  • lxd/daemon/images: Renames imageDownloadLock to imageOperationLock
  • lxd/images: Use SmartError when handling error from d.cluster.GetImage
  • lxd/images: Use imageID rather than imageId
  • lxd/images: Add locking on imageDelete
  • shared/api: Add Total field
  • lxd: Add total field to /1.0/storage-pools/{name}/volumes/{type}/{volume}/state API
  • api: storage_volume_state_total
  • lxd/db/generate: Replace ErrNoSuchObject with api.StatusErrorf(http.StatusNotFound)
  • lxd/db: Applies changes to db generator
  • doc/rest-api: Refresh swagger YAML
  • lxd/util/net: Assign default port if no port given
  • lxd/instance/qemu: Allow using external firmware or kernel
  • lxd/instance/drivers: Fix context logging
  • lxd/storage/utils: Use volName in context logging for consistency
  • lxd/storage/volumes/snapshots: Use volName in context logging for consistency
  • lxd/storage/drivers/driver/ceph/utils: Use volName in context logging for consistency
  • lxd/storage/drivers/driver/lvm/volumes: Remove non-thinpool volume activation/deactivation workarounds
  • lxd/storage/drivers/driver/lvm/utils: Updates activateVolume and deactivateVolume to accept Volume type
  • lxd/storage/drivers/driver/lvm: activateVolume and deactivateVolume usage
  • lxd/storage/drivers/generic/vfs: Check for close errors
  • shared/instancewriter/instance/tar/writer: Check for close errors
  • doc: move Sphinx extensions to a separate repo
  • lxd/storage/drivers/volume: Check for unmount errors in MountTask
  • lxd/device/device/utils/disk: Use storageDrivers.TryUnmount without MNT_DETACH in DiskMountClear
  • doc: whitespace changes and reordering content
  • doc: add headings
  • lxd/storage/drivers/utils: Adds debug logging to TryUnmount
  • lxd/instance/qemu: Tweak warning on -bios/-kernel
  • lxd/storage/drivers/driver/lvm/utils: Don't deactivate non-thinpool snapshot volume if parent mounted
  • test: Removes old storage pool driver exclusions
  • lxd/storage/drivers/generic/vfs: Detect close errors in genericVFSMigrateVolume
  • lxd/instance: Fix RuntimeLiblxcVersionAtLeast to handle ~
  • shared: allow EOPNOTSUPP from llistxattr()
  • doc: update BGP server documentation
  • lxd/instance/drivers/driver/qemu: Correctly detect dish source path filesystem
  • lxd/instance/drivers/driver/qemu: Improve disk error context and comments
  • lxd/instance/drivers/driver/qemu: Fixes incorrect FD garbage collection in addDriveConfig
  • lxd/instance/drivers/driver/qemu: Remove unnecessary duplicated stat of disk source
  • lxd/instance/drivers/driver/qemu: Add input checks to addDriveConfig
  • lxd/device/disk: Pass cloud-init:config drive to QEMU using file descriptor
  • lxd/device/disk: Return explicit nil on error in localSourceOpen
  • test/suites/migration: Check optimized refresh
  • lxd/storage/drivers/btrfs: Change how subvolumes are received
  • lxd/storage/drivers/btrfs: Move subvolumes after reception
  • lxd/storage/drivers/btrfs: Update CreateVolumeFromBackup
  • lxd/instance/operationlock: Add update
  • lxd/instance/lxc: Use locking in Update
  • lxd/instance/qemu: Use locking in Update
  • lxd/instance/qemu: Replace container with instance
  • lxd/instance: Reword operationlock errors
  • lxd/migration/wsproto: Check websocket argument
  • lxd/storage/backend: Fix VolumeDBDelete revert
  • lxd/cluster: fix typo in comment
  • test/includes: remove unnessary subshells
  • lxd/api/cluster: Remove duplicated not found error handling
  • lxd/api: Update not found error matching
  • lxd/db: Replaces use of ErrNoSuchObject with api.StatusErrorf(http.StatusNotFound)
  • lxd/db/errors: Removes ErrNoSuchObject constant
  • lxd/db: Don't use "node" in user facing errors
  • lxd/db/network/zones: Fix query case in GetNetworkZone
  • lxd/operations: Replace use of db.ErrNoSuchObject with api.StatusErrorf(http.StatusNotFound)
  • lxd/response/smart: Remove db.ErrNoSuchObject use
  • lxd/storage/drivers/driver/ceph: Replaces use of db.ErrNoSuchObject with api.StatusErrorf(http.StatusNotFound)
  • lxd/storage/drivers/lvm: Replaces use of errLVMNotFound with api.StatusErrorf(http.StatusNotFound)
  • lxd/backup/backup/config: Default to container instance type if not specified in backup config
  • test: Update backup test error response checks
  • lxd/storage/drivers/zfs: Close stderr after copy
  • doc: order tables alphabetically
  • doc: add IDs for easier linking
  • doc: move content to different files and include
  • doc/network/bridge: move IPv6 prefix section
  • doc/network/bridge: make config table for network_bridge consistent
  • doc/network/ovn: make config table for network_ovn consistent
  • doc/network/macvlan: make config table for network_macvlan consistent
  • doc/network/physical: make config table for network_physical consistent
  • doc/network/sriov: make config table for network_sriov consistent
  • doc: add a reusable note about IP address format
  • doc/network/bridge: add name space and format information for table
  • doc/network/physical: add name space and format information for table
  • doc/network/ovn: add name space and format information for table
  • doc/network/macvlan: add name space and format information for table
  • doc/network/sriov: add name space and format information for table
  • doc/network/physical: add supported features for network_physical
  • doc/network/ovn: add supported features for network_ovn and hide ToC
  • doc/network/bridge: add supported features for network_bridge and hide ToC
  • doc/network/bridge: content updates network_bridge
  • doc/network/ovn: content updates network_ovn
  • doc/network/physical: content updates network_physical
  • doc/network/sriov: content updates network_sriov
  • doc/network/macvlan: content updates network_macvlan
  • doc/network/external: content updates network_external
  • global: Update doc links to /latest
  • README: Use links to public doc pages
  • CONTRIBUTING: Use links to public doc pages
  • lxd/storage/drivers/generic/vfs: Updates genericVFSCopyVolume to not copy block volume files twice
  • lxd/storage/drivers/driver/dir/volumes: Use reverter in CreateVolumeSnapshot
  • lxd/storage/drivers/utils: copyDevice arg type expansion
  • lxd/storage/drivers/utils: Catch file close errors in copyDevice
  • lxd/fsmonitor: Hide permission errors
  • lxd/instance/lxc: Better handle missing apparmor
  • lxd/apparmor/dnsmasq: Support non-snap nesting
  • lxd/apparmor/dnsmasq: Properly handle logpath
  • lxd/instance/qemu: Avoid conflicting vsock IDs
  • lxd/storage/drivers/driver/dir/volumes: Updates CreateVolumeSnapshot to copy block volumes using io.Copy
  • lxd/storage/backend/lxd: Create instance snapshot symlink in CreateInstanceFromCopy
  • api: instance_file_head
  • lxd/daemon: Add support for HEAD
  • lxd/instance_file: Implement HEAD
  • doc/rest-api: Refresh swagger YAML
  • lxd/storage/drivers/utils: Update copyDevice to use low priority dd with 16M byte size and direct i/o
  • lxd: No need to import deprecated syscall
  • lxd/storage/utils: Run qemu-img dd with low priority and 16M buffer
  • lxd/instance/drivers/driver/qemu: Run qemu-img with low priority in Export
  • lxd: Error quoting fixes
  • lxd: Use SmartError rather than NotFound
  • lxd/networks: Don't return os.ErrNotExist from doNetworkGet
  • test: drop dependency on uuidgen
  • lxd/cluster: Add instances.nic.host_name config key
  • lxd/network: Support for instances.nic.host_name config key
  • lxd/device: Support for instances.nic.host_name config key
  • doc: Add instances.nic.host_name
  • api: instances.nic.host_name
  • lxd-agent: Ignore both trans= and msize= when on virtiofs
  • lxd/instance/qemu: Set msize on 9p
  • lxd/main_forkfile: Update comment
  • shared/idmap: Expose IdmapSet on all platforms
  • shared/subprocess: Add SetUserns
  • lxd/device/disk: Port to SetUserns
  • lxd: Remove forkuserns
  • global: Remove legacy build tags
  • lxd/instance_exec: Improve error on openpty
  • lxd/util: Extend tests for CanonicalNetworkAddress
  • lxd/devlxd: Don't expand format strings
  • tests: Test for format string in devlxd
  • lxd/instance: Prevent deleting volatile keys
  • lxd/instance: Update tests
  • lxd/instance: Don't allow root pool changes
  • tests: Test root disk device pool override
  • tests: Fix typo in storage_profiles test
  • doc: make it explicit that automake is needed to build LXD
  • doc: LXD requires Golan 1.18 now
  • lxd/main_init_interactive: Mention port
  • lxd/db/generate/db/method/v2: Create methods for reference tables
  • lxd/db/projects: Use v2 generator, remove UsedBy/Config fields
  • lxd/db/projects.mapper: Update generated code
  • lxd/db/projects: Populate config in ToAPI
  • lxd/db/projects: Use GetProjectConfig
  • lxd/db/projects: Removed UsedBy handling from db package
  • tests: Add test for instances.nic.host_name
  • lxd/storage/drivers/zfs: Check if raw flag can be used
  • lxd/storage/drivers/zfs: Use -w in zfs send if possible
  • shared/subprocess: Fix comment
  • shared/api: Update to new godoc comment
  • client: Update to new godoc syntax
  • lxd/api/project: Add projectUsedBy
  • shared/api/project: Add URL method
  • lxd/storage/volumes/utils: Use api.Project for InstanceList
  • lxd/api/project: Use api.Project over db.Project
  • lxd: manually fetch project Config or use api struct
  • lxd/project/permissions/test: Fix tests
  • lxd/api/project: Return immediately if project is used
  • shared/cert: Update test certs to EC
  • Revert "Skip clustering-related unit tests, see issue #6122"
  • lxd: Remove old clustering tests
  • lxd/cluster/connect: Modify ConnectIfInstanceIsRemote to return a client configured with project
  • lxd/instance/console: Use api.NewURL in instanceConsolePost
  • lxd/instance/exec: Use api.NewURL in instanceExecPost
  • lxd: No need to use UseProject() with client from ConnectIfInstanceIsRemote
  • lxd/migrate: Adds migrationControlResponse type
  • lxd/migrate: Update controlChannel to return migrationControlResponse
  • lxd: golint fixes
  • lxd/migrate/instance: migrationControlResponse usage
  • lxd/migrate/storage/volumes: migrationControlResponse usage
  • lxd/device/device/utils/disk: Look for QEMU helpers in /usr/libexec/
  • lxd: Switch to using api.StatusErrorCheck where appropriate
  • lxd/db/generate: Update to use api.StatusErrorCheck
  • lxd/db: Regenerates DB functions
  • lxd/storage/drivers/zfs: send -w is possible since 0.8.0
  • lxd/state: Make InstanceTypes store errors
  • lxd/instance/drivers: Replace SupportedInstanceTypes with DriverStatuses
  • lxd: DriverStatuses usage
  • lxd/instance: Report driver errors
  • lxd/instance/qemu: Improve errors in Info
  • lxd-agent: Fix trans= handling
  • lxd/instance/drivers/driver/qemu: Update Export to use qemu-img convert in direct I/O mode
  • lxd/storage/utils: Updates ImageUnpack to use qemu-img convert in direct I/O mode
  • lxd/storage/drivers/utils: Update copyDevice to open files in read only mode
  • lxd/storage/drivers/driver/dir/volumes: Reduce var scope in CreateVolumeSnapshot
  • lxd/storage/drivers/driver/dir/volumes: Use dd to restore block volumes in RestoreVolume
  • lxd/instance: Enforce a 64 chars device name limit
  • doc/instances: Mention 64 chars limit on device names
  • lxd/device/disk: Drop 27 chars limit
  • lxd/storage/utils: Disable format detection in qemu-img info in ImageUnpack
  • lxd/instance/qemu: Use a hash for long disk names
  • lxd/instance: Fix Update calls for ephemeral instances
  • tests: Add restart test for ephemeral instances
  • test: simplify handling of set -x
  • lxd/db/generate: Don't list bash completion
  • lxd/storage: Forward instance volume state request
  • client: Add GetMetrics
  • lxd/device/proxy: Fix comment typo
  • doc: Remove user-facing mentions of cluster node
  • lxd: Replace local node mentions with local member
  • lxd/api/cluster: Request that projects with restricted.networks be created first in clusterInitMember
  • lxd/init: Re-arrange initDataNodeApply order
  • lxd/init: Error quoting in initDataNodeApply
  • lxd/init: Create relevant networks before and after projects in initDataNodeApply
  • test: Check that default project networks are created before projects during cluster member join
  • doc/reference/network/bridge: Clarify ipv{n}.nat default value added when creating networks
  • lxd/instance/drivers/driver/qemu: Catch stateful resume errors in Snapshot
  • test: fix copy-n-paste error
  • lxd/instance/drivers/driver/qemu: Pass nvram file by FD and make writable by QEMU process
  • lxd/console: Move PTS logic to LXC driver
  • lxd/instance/qemu: Switch to socket for console
  • lxd/apparmor: Treat ramfs the same as tmpfs
  • lxd/network/driver/sriov: Mark network as available on successful start
  • lxd/storage/drivers/zfs: Fix optimized refresh in migration
  • lxd/storage/drivers/zfs: Delete volume before copying
  • test/suites/migration: Run optimized refresh test
  • lxd-agent: Enable gorilla UseEncodedPath
  • lxd-agent: Unescape URL path variables
  • lxd: Enable gorilla UseEncodedPath
  • lxd: Unescape path URL variables
  • lxd/instance/drivers/driver/qemu: Centralise logic for UEFI architecture detection
  • lxd/instance/drivers/driver/qemu: Only use NVRAM firmware template on UEFI architectures
  • lxd/instance/drivers/driver/qemu/templates: Removes duplicated arch check in qemuDriveFirmware
  • lxd/network/zone/zone: Improve validation of network zone name
  • test: Improve network zone tests
  • test/suites/migration: Add more refresh tests
  • lxd/db: Support for profiles in CreateImage
  • lxd: Support for profiles in image copying
  • shared/api: Add Profiles field to ImageExportPost
  • client: Support for profiles in image copying
  • lxc/image: Add a '--profile' option to lxc image copy
  • api: image_copy_profile
  • tests: Add tests for '--profile' option in image copy
  • doc/rest-api: Refresh swagger YAML
  • i18n: Update translation templates
  • gateway: Separate, smaller timeout for client request
  • lxd/instance/drivers: Ensure that devices are added and removed in the correct order
  • lxd/storage/drivers/volume: Still attempt to unmount on task error in MountTask
  • lxd/storage/drivers: Be explicit with logic brackets
  • shared/util/linux: report "Detected poll(POLLNVAL) event" at debug level
  • shared/util/linux: fix typos in comments
  • shared/util/linux: drop trailing "." in logs
  • lxd/internal: Coding style
  • lxd/db/query: Coding style
  • lxd/main_interactive: Fix bad servername
  • lxc/copy: Add description of modes
  • lxc/move: Add description of modes
  • i18n: Update translation templates
  • lxd/init: Eliiminate serverName
  • lxc/utils: Fix bad error string
  • i18n: Update translation templates
  • lxd/instance/qemu: Don't timeout during migration
  • test: restore "set -x" at the end of respawn_lxd()
  • lxd/db/generate/db/parse: Add ParsePackage
  • lxd/db/generate: Use sql.Tx param for generated functions
  • lxd/db/generate/db/stmt: Parse any imported package
  • test: avoid unbound var if cleanup() is called early on
  • lxd/storage/drivers/driver/lvm/volumes: Fix restoration of block volume snapshots
  • lxd/storage/drivers/driver/lvm/utils: Use 100%ORIGIN as size for non-thin snapshots
  • lxd/instance/drivers/driver/qemu: Removes unused return var from unmount
  • lxd/storage/drivers/driver/lvm/utils: Code style in activateVolume
  • lxd/storage/drivers/driver/lvm/volumes: Restrict var scope in volDevPath
  • lxd/storage/drivers/generic/vfs: Catch unmount errors in genericVFSBackupUnpack
  • lxd/sys: Fix vsockID detection
  • test: Don't leave files behind
  • lxd/storage: Allow parallel writes in qemu-img
  • lxd/storage/drivers: Extend CephMonitors
  • lxd/storage/cephfs: Simplify use of CephMonitors
  • lxd/device/disk: Simplify cephfs handling
  • lxd/db: Specify cluster package in generator comments
  • lxd/db/projects.mapper: Remove Certificates/Projects from db package
  • lxd/db/cluster/projects: Add cluster package db entities
  • lxd/db/cluster/projects.mapper: Generate cluster package methods/stmts
  • lxd/db/db/unified: Add unified DB struct
  • lxd/state/state: Use unified DB struct
  • lxd/db/db: Store cluster statements in global map
  • lxd/db/transaction: Add Tx method
  • lxd/db/db: Add ctx to cluster.Transaction
  • lxd: Use new DB type and Transaction method
  • lxd/tests: fix tests
  • lxd/db/generate/db/lex: Fix adjective pluralization
  • Cluster: use gateway context for client.Leader requests
  • lxd/db/query/transaction: Removes TransactionCtx and updates Transaction to take a context
  • Cluster: granular locking in Gateway.Handlerfuncs
  • lxd: query.Transaction usage
  • lxd/db/query: Gets both schema and data from sqlite.
  • lxd/db/query: Updates tests for refactored dump functions.
  • lxd: Updates SQLGet handler for refactored SQL dump.
  • test/suites/sql: Removes test for schema table data when getting schema only.
  • test: rename unused var to "_"
  • lxd/db/query: Return the table schema sql verbatim from sqlite_master.
  • lxd/db/query: Dumps all entities in sqlite_master table.
  • lxd/db/query: Updates tests to remove quotes.
  • lxd/db/query: Adds index to test schema and dump output.
  • lxd/sql: Do not format output of .dump and .schema.
  • test/sql: Adds some checks to ensure other db schema entities are captured.
  • lxc: Replace 20.04/Focal Fossa by 22.04/Jammy Jellyfish
  • doc: Replace 20.04/Focal Fossa by 22.04/Jammy Jellyfish
  • shared/api: Replace 20.04/Focal Fossa by 22.04/Jammy Jellyfish
  • lxd/db: Replace 20.04/Focal Fossa by 22.04/Jammy Jellyfish
  • doc/rest-api: Refresh swagger YAML
  • i18n: Update translation templates
  • lxd: Moves swagger response definitions to response package.
  • test/suites/static_analysis: Modifies deadcode exception to new dir.
  • lxd/seccomp/seccomp: Fix comment on HandleSchedSetschedulerSyscall
  • api: Adds container_syscall_intercept_sysinfo extension
  • doc/instances: Adds security.syscalls.intercept.sysinfo documentation
  • doc/syscall-interception: Add sysinfo
  • scripts/bash: security.syscalls.intercept.sysinfo
  • shared/instance: Add security.syscalls.intercept.sysinfo
  • lxd/cgroup/abstraction: Adds GetEffectiveMemoryLimit function
  • doc: move content and add headings
  • lxd/db/generate/file/write: Support adding build comments
  • lxd/db: Specify build comments in generator comments
  • lxd/db/generate/file/write: Add interface flag
  • lxd/db/warnings: Add interface flag to generator comments
  • shared/cert: Adds method for returning the public key as an x509 cert.
  • lxd/cgroup/file: Fix incorrect path matching for /init.scope in NewFileReadWriter
  • lxd/instance/drivers/driver/lxc: cg.GetEffectiveMemoryLimit usage in Metrics
  • lxd/seccomp: Add sysinfo handler
  • test: syscall interception
  • test: Fix start_external_auth_daemon to work with git 2.34.1
  • test: Adds syscall sysinfo interception test
  • lxd/db/generate/db: Returns a status error on create if entry already exists.
  • doc: whitespace changes
  • lxd/db/cluster: Regenerates schema.
  • doc: update documentation for integrating with systemd-resolved
  • lxd/db/generate: Returns status error if delete operation affects zero rows.
  • lxd/db/cluster: Regenerates database files.
  • lxd/project: Allow sysinfo intercept
  • lxd/device/disk: Handle long paths in virtiofsd
  • gomod: Update github.com/canonical/go-dqlite to v1.11.1
  • lxd/resources: Handle nested devices
  • lxd/instance/drivers/driver/lxc: Update deviceRemove to accept a device.Device
  • lxd/instance/drivers/driver/qemu: Update deviceRemove to accept a device.Device
  • lxc/file: Fix edit in snap environment
  • lxd/storage/drivers/driver/lvm/utils: Don't try and deactive snapshot non-thin volume if parent volume in use
  • lxd/instance/drivers/driver/lxc: Removes unmounted return var from unmount
  • lxd/storage/pool/interface: Remove unmounted indicator from UnmountInstance and UnmountInstanceSnasphot
  • lxd/storage/pool/backend/mock: Remove unmounted indicator from UnmountInstance and UnmountInstanceSnasphot
  • lxd/storage/pool/backend/lxd: Remove unmounted indicator from UnmountInstance and UnmountInstanceSnasphot
  • lxd/instance/drivers/driver/lxc: pool.UnmountInstance and pool.UnmountInstanceSnapshot usage
  • lxd/instance/drivers/driver/qemu: pool.UnmountInstance usage
  • lxd/device/disk: Updates applyQuota with MountInstance usage
  • lxd/storage/utils: Updates InstanceUnmount to not return unmounted indicator
  • lxd/storage/drivers/generic/vfs: Comment typo
  • shared/api: nowadays various types of certs are accepted
  • doc/rest-api: Refresh swagger YAML
  • i18n: Update translations from weblate
  • gomod: Update dependencies
  • api: clustering_evacuation_mode
  • shared/api: Add Mode to ClusterMemberStatePost
  • lxd/cluster: Support evacuation mode override
  • lxc/cluster: Add --action to evacuate
  • i18n: Update translation templates
  • doc/rest-api: Refresh swagger YAML
  • lxc/storage: Show volume total size
  • i18n: Update translation template
  • test: Skip seccomp notify tests if seccomp notify not supported
  • lxd/storage/drivers/btrfs: Delete volume after receiving new one
  • lxd/storage/drivers/btrfs: Check length of snapshots slice
  • test: Extend refresh migration tests
  • shared/cancel: Renames Canceler to HTTPRequestCanceller.
  • doc: mention that ECDSA cert generation requires openssl 1.1.0+
  • lxd/storage/utils: Improve logging in ImageUnpack
  • lxd/storage/drivers/driver/common: Adds allowUnsafeResize argument to runFiller
  • lxd/storage/drivers/driver/btrfs/volumes: runFiller usage
  • lxd/storage/drivers/driver/ceph/volumes: d.runFiller usage
  • lxd/storage/drivers/driver/cephfs/volumes: d.runFiller usage
  • lxd/storage/drivers/driver/dir/volumes: d.runFiller usage
  • lxd/storage/drivers/driver/lvm/volumes: d.runFiller usage
  • lxd/storage/drivers/driver/zfs/volumes: d.runFiller usage
  • shared/cancel: Adds simple Canceller type wrapping a context.Context.
  • lxc/delete: Validate all instances exist
  • i18n: Update translation templates

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

LXD 5.0 LTS has been released

4th of April 2022

Introduction

The LXD team is very excited to announce the release of LXD 5.0 LTS!

This is our 4th LTS release and quite an exciting one for anyone coming from LXD 4.0 as it significantly steps up LXD's abilities, especially when operating in clustered environments.

The changelog below is split so that both users of LXD 4.24 and LXD 4.0 can see what we have in store for them.

As with all our other LTS releases, this one will be supported for 5 years (June 2027) and will receive a number of bugfix and security point releases over that time.

As for LXD 4.0, we'll be releasing one last bugfix release as 4.0.10 in the near future before we enter security-only maintenance mode for its remaining 3 years.

Enjoy!

Breaking changes

Changes in minimum requirements

As with any new LTS release, we've updated our minimum requirements to a set which we believe we can maintain for the next 5 years.

This is now:

  • Kernel version: 5.4
  • Go version: 1.18
  • LXC version: 4.0.x
  • QEMU version: 6.0

Additionally, we've updated LXD to require TLS 1.3 for all incoming and outgoing network connections.

Documentation: https://linuxcontainers.org/lxd/docs/master/requirements/

Changes in supported upgrade path

Up until now, LXD has been fully backward compatible and so would support directly upgrading LXD 0.1 straight to the very latest LXD release.

This became increasingly costly in the amount of code we had to keep around to handle data migration. This was also causing us to keep depending on old dependencies that have gone unmaintained for years and becoming a potential security risk.

As a result, LXD 5.0 was changed to only support upgrading from LXD 4.0 or higher.
Users coming from an earlier release will need to first upgrade to LXD 4.0.x prior to upgrading to LXD 5.0.

New features and highlights since LXD 4.24

Disk hot-plug for virtual machines

It's now possible to dynamically add and remove disk devices to virtual machines.
This is only supported with block volumes and can be achieve through editing the list of devices on the instance. The guest will see the new disk being plugged into the SCSI bus.

USB hot-plug for virtual machines

Similarly to disks, it's now possible to dynamically add and remove usb devices to virtual machines.
This again is achieved by editing the list of devices on the instance and will cause a simple USB hotplug event into the guest.

Startup with degraded networking

Following the degraded storage pool handling in LXD 4.24, we have now added the same feature but for networks.

This means that should a network be unable to start, for example because of a missing dependent device, LXD itself will no longer fail to start. Instead it will start as many of the instances as it can and will then start the remaining instances once the network can be started.

New ovn-chassis cluster member role

A new ovn-chassis cluster member role was added.
This is only relevant to clusters using OVN for networking. On such clusters, assigning this role allows restricting what servers will act as OVN chassis (effectively routers).

When none have the role (default), then they all participate as usual. As soon as the role is assigned to one or more server, those will start acting as the OVN chassis with the others disabling their chassis feature.

This allows a better balance of network and CPU resources on a cluster and also allows for disabling the OVN chassis feature on less powerful or degraded systems.

Optimized refresh of storage volumes

For a few releases now, LXD has supported refreshing existing instances or custom storage volumes.

The way this would work is by first performing a normal copy of the instance or volume and then refreshing that copy. The initial copy would use the optimized migration logic like zfs or btrfs send/receive while the later refresh logic would use simple rsync.

This approach however really doesn't work well with virtual machines where rsync isn't of much use and can also lead to excessive transfer sizes for what should otherwise be small changes between snapshots.

To improve that, LXD will now use the optimized migration logic for refreshes too. When both source and target server use the same storage pool and a supported LXD version, they will automatically be using snapshots and send/receive rather than rsync.

Reworked cloud-init instance-id logic

Ever since LXD has supported cloud-init, it has used the instance name as the cloud-init instance-id.
This meant that the only thing which would trigger a cloud-init re-run would be the instance changing name, either through an instance rename or because of it being copied.

To better match the behavior seen in other cloud environments, LXD now instead uses a UUID as the instance-id and will reset that UUID on instance renames, instance copies but also on any changes to the cloud-init configuration keys (user-data, vendor-data and network-config) as well as changes to the list of network interfaces.

sched_setscheduler system call interception

LXD now supports intercepting the sched_setscheduler system call.
This allows unprivileged LXD containers to change process priorities beyond what's allowed for unpriivleged users. This was motivated by Android containers needing advanced control on process priorities.

lvm.thinpool_metadata_size storage pool option

A new LVM storage pool option was added to control the size of the thinpool metadata size.
When not set, LVM is allowed to figure out an appropriate value.

Reworked lxc network info

lxc network info was updated to cover a variety of additional network information.
This includes:

  • Bond information
  • Bridge information
  • VLAN information
  • OVN network information (HA chassis)

Here's an example for a bridge:

stgraber@castiana:~$ lxc network info lxdbr0
Name: lxdbr0
MAC address: 00:16:3e:d6:0a:4c
MTU: 1500
State: up
Type: broadcast

IP addresses:
  inet»·10.128.192.1/24 (global)
  inet6»fd42:ae5f:98ab:a816::1/64 (global)
  inet6»fe80::216:3eff:fed6:a4c/64 (link)

Network usage:
  Bytes received: 207.51kB
  Bytes sent: 9.02MB
  Packets received: 2667
  Packets sent: 2967

Bridge:
  ID: 8000.00163ed60a4c
  STP: false
  Forward delay: 1500
  Default VLAN ID: 1
  VLAN filtering: true
  Upper devices: tapbb4affbb, vethb8985ecc

Highlights for those coming from LXD 4.0

It's very hard to condense everything we've been doing for the past two years into something that can be read in just a few minutes, but LXD grew a lot since its last LTS.
Virtual machines are effectively at feature parity with containers now, a lot of networking options were added and so did clustering and project features.

Virtual Machines

  • vTPM support
  • Arbitrary PCI device passthrough
  • Live migration (and stateful snapshot/stop)
  • Network device hotplug
  • Block custom volume

Networking

  • Overlay networking with OVN
  • Network ACLs for bridge and OVN networks
  • Network forwards (floating IPs)
  • BGP announcement of network routes and routed IP addresses
  • Network peering (OVN)
  • Network zones (DNS)
  • Network acceleration (SR-IOV)

Storage

  • Instance and volume refreshes
  • Block custom storage volumes

Projects

  • Resource limits
  • Restricted cluster targets
  • Restricted certificates
  • Networks (OVN)
  • Usage report
  • Desktop integration

Migration

  • Reworked migration tool (lxd-migrate) with support for both containers and VMs

Clustering

  • Failure domains to properly balance database roles
  • Easy cluster evacuation support
  • Server groups for targeting and restrictions
  • Instance metrics (OpenMetrics) with Grafana dashboard

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • shared/util/linux: only complain on xattr size increase
  • fix typo
  • lxc/file: Update the description in lxc file mount
  • i18n: Update translation templates
  • sphinx: Don't pin dependencies
  • lxd/db: Support for expiry_date in GetLocalStoragePoolVolumeSnapshotsWithType
  • lxd: Support for expiry date in storagePoolVolumeSnapshotsTypeGet
  • lxd: Warn if exec control connection disconnects prematurely
  • lxd/cluster/heartbeat: Ensure g.Cluster is available
  • client/lxd: Add 5 second handshake timeout to websocket.Dialer
  • lxd: Add 5 second handshake timeout to websocket.Dialer
  • test: Add 5 second handshake timeout to websocket.Dialer
  • lxd/db: Add snapshot id to return value in GetExpiredStorageVolumeSnapshots
  • lxd/storage: Prevent concurent snapshot for a volume
  • lxd: Prevent concurent snapshot expiry for a volume
  • lxd/instance_sftp: Handle projects on forward
  • client: Use DialTLS for SFTP connections
  • client: Replace addMacaroonHeaders with addClientHeaders function
  • client/lxd: Removes duplicated header setting in rawQuery
  • client: Replaces r.httpHost with r.httpBaseURL from net/url package
  • test: Fix container devices nic bridged filtering tests on recent versions of nftables
  • client/lxd/instances: Avoids connecting twice in rawSFTPConn
  • test: Update file manipulation tests to use projects
  • lxd/instance: Improve var naming and comments related to pruneExpiredInstanceSnapshots
  • lxd/storage/volumes/snapshot: Improve var naming and comments related to pruneExpiredCustomVolumeSnapshots
  • lxd/instance/drivers/driver/lxc: Create log path for forkfile if missing in FileSFTPConn
  • lxd/instance/drivers/driver/lxc: Clean up forkfile.pid on exit
  • lxd/cluster/upgrade: Improve logging in triggerUpdate
  • lxc/network: Extend coverage of 'lxc network info'
  • i18n: Update translation templates
  • lxc/file: Use random auth creds if --no-auth and --auth-user flags not specified
  • test: Update SSH SFTP tests
  • i18n: Update translation templates
  • tests/includes: Adds util to wait for DAD to complete.
  • tests: Uses wait_for_dad util instead of sleep.
  • doc: restrict docutils version to fix parsing of notes
  • lxd/firewall: Accept slices of IPv4 and IPv6 networks for bridge filter.
  • lxd/device: Adds function to calculate allowed IPv4 and IPv6 subnets.
  • lxd/device: Use allowedIPNets to set up the firewall rules.
  • lxd/bgp: Handle multiple matches in RemovePrefix
  • lxd/bgp: Fix issue with modifying paths list while iterating
  • lxd/bgp: Don't fail on missing path
  • doc: add an extension for including YouTube links
  • doc: add related YouTube links
  • lxd/daemon: Adds kernelVersion to daemon struct
  • lxd/state/state: Adds KernelVersion field to State structure
  • lxd/instance/drivers/driver/qemu: Use d.state.KernelVersion
  • lxd/instance/drivers/driver/qemu: Only enable io_uring support in kernels <= 5.13.0
  • lxd/cgroup/abstractions: Wrap parse errors to give context of problematic value
  • lxd/storage/utils: Prevent white space in storage pool names
  • doc: update YouTube extension to be ignored by OpenGraph
  • doc: open YouTube links in a new window
  • lxd/storage/drivers: Add ErrSnapshotDoesNotMatchIncrementalSource
  • lxd/storage/drivers/zfs: Support optimized refresh
  • lxd/storage/drivers/btrfs: Add volumeSnapshotsSorted
  • lxd/storage/drivers/btrfs: Support optimized refresh
  • lxd/migration: Add new zfs feature to protobuf
  • lxd/migration: Add new zfs feature
  • lxd/migration: Add Refresh option to source
  • lxd/storage/drivers/zfs: Add migration header structs and functions
  • lxd/storage: Indicate to sender to use incremental streams
  • lxd/storage/drivers/zfs: Support optimized refresh for migration
  • lxd/migration: Add header_subvolume_uuids to protobuf
  • lxd/storage/drivers/btrfs: Add UUIDs to subvolume info
  • lxd/migration: Add BtrfsFeatureSubvolumeUUIDs
  • lxd/storage/drivers/btrfs: Add getSubvolume*UUID functions
  • lxd/storage/drivers/btrfs: Support optimized refresh for migration
  • lxd/migration: Consider refresh and common features
  • lxd/instance/lxc: Handle long forkfile socket paths
  • lxd/cluster: Don't mask lack of cluster response
  • lxd/device: Use allowedIPNets when clearing firewall rules.
  • lxd/firewall/drivers: Fix typo in comment.
  • lxd/firewall/drivers: Adds subnetMask and subnetHexPrefix utils.
  • lxd/firewall/drivers: Update ebtable and ip6table rule generation.
  • lxd/firewall/drivers: Update ebtables rule matching logic.
  • tests: Ensure firewall does not drop packets from within ipv4.routes.
  • tests: Corrects host IP in IPv6 tests.
  • tests: Change address of ipv6 network interface.
  • tests: Tests ipv6.routes and ipv6.routes.external rules.
  • lxd/firewall/drivers: Updates nftables bridge filter to accept multple subnets.
  • lxd/firewall/drivers: Remove FilterAllIPv{n} consts.
  • tests: Updates tests for new nftables rules.
  • lxc/file: Ensure sshfs closes on exit request
  • lxd/response/upgrade: Adds Upgrade function to upgrade an HTTP connection
  • lxd-agent/sftp: response.Upgrade usage
  • lxd/cluster/gateway: response.Upgrade usage
  • lxd/instance/sftp: response.Upgrade usage
  • i18n: Update translations from weblate
  • lxd/storage: Renames setupStorageDriver to storageStartup
  • lxd: storageStartup usage
  • lxd/storage: Comment consistency with networkStartup
  • lxd/networks: Corrects comment copy/paste error
  • lxd/device/config/devices: More efficient allocations
  • lxd/device/device/interface: Adds PreStartCheck
  • lxd/device/device/common: No-op PreStartCheck
  • lxd/device/disk: Adds PreStartCheck function to check if storage pool is available
  • lxd/device/disk: Included wrapped error in diskSourceNotFoundError
  • lxd/instance/drivers: Expand start up validation to check for root disk storage pool availability
  • lxd/storage/load: Replaces UnavailablePools with IsAvailable
  • lxd/storage/errors: Removes unused ErrPoolUnavailable error var
  • lxd/storage/backend/lxd: IsAvailable usage
  • lxd/storage/backend/lxd: Replaces use of ErrPoolUnavailable with generic http.StatusServiceUnavailable
  • lxd/instances: Prevent concurrent running of instancesStart
  • lxd/instances: Updates instancesStart to detect http.StatusServiceUnavailable error class
  • lxd/instance/drivers: Call device.PreStartcheck() from deviceStart()
  • lxd/instance/drivers: Use device rather than devName in contextual logging
  • lxd/instance/drivers/driver/qemu: Log project and instance name in getAgentMetrics
  • lxd/storage: Increase log warnings to errors in storageStartup
  • shared/api: Add Project to ImageExportPost
  • client: Support for target project when copy image with push mode
  • lxd: Support for target project when copy image with push mode
  • lxc/image: Add target-project flag to 'image copy' command
  • api: images_target_project
  • tests: Add tests for copying image between projects
  • i18n: Update translation templates
  • doc/instances: Add volatile.cloud-init.instance-id
  • doc/dev-lxd: Update instance-id to UUID
  • shared/instance: Add volatile.cloud-init.instance-id
  • lxd/devlxd: Use volatile.cloud-init.instance-id
  • lxd/instance: Implement volatile.cloud-init.instance-id
  • lxd-agent: Add cloud-init-id field
  • lxd/instance/qemu: Use volatile.cloud-init.instance-id
  • lxd/instance: Add resetInstanceID
  • lxd/instance: Reset instance-id on rename
  • lxd/instance: Reset the instance-id on relevant config changes
  • tests: Add test for instance-id
  • lxd/devlxd: Fix argument naming
  • lxd/instance: Add CloudInitID
  • lxd/device/device/interface: Adds Name and Config to Device interface
  • lxd/instance/drivers/driver/lxc: Update deviceLoad to just return Device
  • lxd/instance/drivers/driver/lxc: Updates lxcCreate to use deviceLoad and deviceAdd
  • lxd/instance/drivers/driver/lxc: Updated usage of deviceLoad
  • lxd/instance/drivers/driver/lxc: Updates deviceAdd to accept a device
  • lxd/instance/drivers/driver/lxc: Updates deviceStart to accept a device
  • lxd/instance/drivers/driver/lxc: Adds Adding device log message
  • lxd/instance/drivers/driver/lxc: Updates startCommon to use deviceLoad and deviceStart separately
  • lxd/instance/drivers/driver/lxc: Updates updateDevices to use deviceLoad and deviceAdd/deviceUpdate separately
  • lxd/instance/drivers/driver/qemu: Update deviceLoad to just return Device
  • lxd/instance/drivers/driver/qemu: d.deviceLoad usage
  • lxd/instance/drivers/driver/qemu: Adds Adding device log message
  • lxd/instance/drivers/driver/qemu: Adds Removing device log message
  • lxd/instance/drivers/driver/qemu: Update deviceAdd to accept a device
  • lxd/instance/drivers/driver/qemu: Updates qemuCreate to use deviceLoad and deviceAdd
  • lxd/instance/drivers/driver/qemu: Updates updateDevices to use deviceLoad and deviceAdd/deviceUpdate separately
  • lxd/isntance/drivers/driver/qemu: Updates deviceStart to accept a device
  • lxd/instance/drivers/driver/qemu: deviceStart usage
  • lxd/instance/drivers: Load all devices before starting them during instance start
  • lxd/instance/drivers: Add pre-start device checks when starting instance devices
  • lxd/instance/drivers/driver/lxc: Update deviceStop to accept a device
  • lxd/instance/drivers/driver/lxc: Update startCommon to pass device to d.deviceStop
  • lxd/instance/drivers/driver/lxc: Updates cleanupDevices to pass device to d.deviceStop
  • lxd/instance/drivers/driver/lxc: Updates updateDevices to pass device to d.deviceStop
  • lxd/instance/drivers/driver/qemu: Updates deviceStop to accept device
  • lxd/instance/drivers/driver/qemu: Update Start to pass device to deviceStop
  • lxd/instance/drivers/driver/qemu: Updates updateDevices to pass device to deviceStop
  • lxd/instance/drivers/driver/qemu: Updates cleanupDevices to pass device to deviceStop
  • lxd/response/smart: Adds IsNotFoundError function
  • lxd: Replace checks for various not found errors with response.IsNotFound() usage
  • lxd/instance: Move VMAgentData to instancetype
  • lxc/utils/table: add compact table
  • i18n: Update translation templates
  • shared/api/network: Adds NetworkStatusUnavailable constant
  • lxd/db/warnings/types: Rename WarningNetworkStartupFailure to WarningNetworkUnvailable
  • lxd/network/network/load: Adds IsAvailable and function
  • lxd/network/driver/common: Adds setAvailable and setUnavailable functions
  • lxd/network/driver/common: Updates LocalStatus to return api.NetworkStatusUnavailable if unavailable.
  • lxd/network/network/interface: Adds Locations
  • lxd/network/driver/common: Implements Locations
  • lxd/network/driver/bridge: Updates Start to set availability
  • lxd/network/driver/bridge: Remove warning management from driver
  • lxd/network/driver/macvlan: Updates Start to set availability
  • lxd/network/driver/sriov: Updates Start to set availability
  • lxd/network/driver/physical: Check parent exists when starting
  • lxd/network/driver/physical: Updates Start to set availability
  • lxd/network/driver/physical: Remove warning management from driver
  • lxd/network/driver/physical: Remove duplicate start log
  • lxd/network/driver/ovn: Updates Start to set availability
  • lxd/network/driver/ovn: Refuse to start if uplink network is unavailable
  • lxd/network/driver/ovn: Remove warning management from driver
  • lxd/networks: Updates networkStartup to retry starting degraded networks in the background
  • lxd/networks: Updates doNetworkGet to accept an allNodes argument
  • lxd/networks: Updates networksGet to improve naming, comments and doNetworkGet usage
  • lxd/networks: Updates networkGet to improve naming, comments and doNetworkGet usage
  • lxc/network: Always add State column to network list output
  • lxd/device/nic: Adds PreStartCheck function for NICs with managed parent network support
  • lxd/network/driver/common: Delete network from unavailableNetworks on delete
  • lxd/storage: Update comment in storageStartup
  • lxd/network/driver/common: Delete warnings on delete
  • lxd/network/driver/bridge: Remove duplicated warnings delete step
  • lxd/network/network/load: Adds PatchPreCheck function
  • lxd/patches: Adds patchPostNetworks stage
  • lxd/dameon: Adds hook for patchPostNetworks stage
  • lxd/patches: Adds patchGenericNetwork function and updates network patches to use it
  • lxd/storage/backend/lxd: Replaces bespoke revert with revert package
  • shared/api: Adds AllowInconsistent to InstancePost.
  • client: Pass allowInconsistent into instance post request.
  • lxd/instance_post: Use allowInconsistent value in migrations.
  • doc: Updates API spec.
  • doc/environment: Adds LXD_IDMAPPED_MOUNTS_DISABLE env var
  • lxd/daemon: Detect LXD_IDMAPPED_MOUNTS_DISABLE env var and disable idmapped mount support
  • lxd/storage/utils: Adds VolumeDBDelete function
  • lxd/storage/backend/lxd: Replace usage of RemoveStoragePoolVolume with VolumeDBDelete
  • lxd/storage/utils: Reduce arguments of VolumeDBCreate in style of VolumeDBDelete
  • lxd/storage/backend/lxd: VolumeDBCreate usage
  • doc: add an extension for adding Discourse links
  • doc: add links to tutorials on Discourse
  • doc: add links to specifications on Discourse
  • lxd/instance/drivers: Moves StoragePool and getStoragePool to common
  • lxd/network/ovn: Don't use HostPathFollow on OVN configs
  • lxd-agent: cleaner shutdown sequence
  • lxd/networks: Don't keep trying to start removed degraded networks
  • lxd/storage/load: Update GetPoolByInstance to use instance's StoragePool() function
  • lxd/storage/backend/lxd: Ensure we use errors.Is when checking for drivers.ErrNotSupported
  • lxd/instance: Avoid extra query when copying instance snapshot's creation time
  • lxd/storage/utils: Adds VolumeDBGet function
  • lxd/storage/backend/lxd: Renames and reworks instanceRootVolumeConfig into instanceEffectiveRootVolumeConfig
  • lxd/storage/backend/lxd: b.instanceEffectiveRootVolumeConfig usage
  • lxd/storage/utils: Updates comment on VolumeDBCreate
  • lxd/storage/pool/interface: Rename srcVolOnly to snapshots for RefreshCustomVolume and CreateCustomVolumeFromCopy
  • lxd/storage/backend: Update RefreshCustomVolume and CreateCustomVolumeFromCopy to use snapshots arg
  • lxd/storage/volumes: pool.CreateCustomVolumeFromCopy and pool.RefreshCustomVolume usage
  • lxd/storage/utils: Renames and reworks VolumeSnapshotsGet to VolumeDBSnapshotsGet
  • lxd/migrate/storage/volumes: storagePools.VolumeDBSnapshotsGet usage
  • lxd/storage/backend/lxd: VolumeDBSnapshotsGet usage
  • lxd/storage/backend/lxd: Allocate snapshotNames more efficiently in CreateCustomVolumeFromCopy
  • lxd/migrate/instance: Don't ignore existing snapshot instances on migrate receiver
  • lxd/storage/backend/lxd: Comment improvements CreateCustomVolumeFromCopy
  • grafana: Add missing datasource field
  • github: Add Go 1.18
  • doc/clustering: Make more space in table
  • doc/clustering: Remove condition column
  • doc/clustering: Add section about roles
  • lxd/network/ovn: Fix typo
  • lxd/network/ovn: Fix bad comment
  • lxd/api_internal: Sort endpoints
  • doc: rename extension file
  • doc: rename stylesheet classes for extension
  • doc: update the extension to allow for general related links
  • doc: add related links to the documentation
  • lxd/storage/utils: Updates VolumeDBSnapshotsGet to accept drivers.VolumeType arg
  • lxd/storage/backend/lxd: VolumeDBSnapshotsGet usage
  • lxd/migrate/storage/volumes: Updates storagePools.VolumeDBSnapshotsGet usage
  • lxd/db/storage/volumes: Updates GetLocalStoragePoolVolumeSnapshotsWithType to populate ID and Config fields
  • lxd/instance/qemu: Fix regression in cdrom handling
  • api: Adds cluster_allow_inconsistent_copy extension.
  • lxd/storage/backend/lxd: Use more efficient allocations in GetVolume
  • lxd/storage/utils: Removes unnecessary duplicate check in VolumeDBCreate
  • lxd/storage/drivers/volume: Adds VolumeType.IsInstance function
  • lxd/storage/backend/lxd: Define instanceDiskVolumeEffectiveFields
  • lxd/storage/utils: Check that instanceDiskVolumeEffectiveFields are not used for instance volumes DB records
  • lxd/storage/backend/lxd: Reworks instanceEffectiveRootVolumeConfig into instanceEffectiveRootVolume
  • lxd/storage/backend/lxd: b.instanceEffectiveRootVolume usage
  • lxd/instance/drivers/qmp: Support adding and removing block devices
  • lxd/instance/drivers/qemu: Use RemoveDevice for NIC
  • lxd/device/disk: Support hot-plugging
  • lxd/instance/drivers/qemu: Remove unnecessary check
  • lxd/instance/drivers/qemu: Add qemuBlockDevIDPrefix
  • lxd/instance/drivers/qemu: Add deviceAttachBlockDevice
  • lxd/instance/drivers/qemu: Add deviceDetachBlockDevice
  • lxd/instance/drivers/qmp: Add FD set commands
  • lxd/device/config: Put root device first
  • lxd/instance/drivers/qemu: Enable hotplugging raw disks
  • lxd/instance/drivers/qemu: Drop string builder arg
  • lxd/device: Validate disk device name length
  • lxd/instance/drivers/qemu: Remove qemuDrive template
  • lxd/instance/drivers/qemu: Disallow hotplugging directories
  • lxd/images: Remove old db entry after image refresh
  • lxd/operations: Remove all operations for the member in waitForOperations
  • lxd/daemon: waitForOperations usage
  • shared/network: Improve error returned from RFC3493Dialer
  • lxd/operations: Updates operationsGet to exclude offline members like operationsGetByType
  • lxd/operations: Aligns operationsGetByType with operationsGet
  • lxd/db/operations: Renames GetNodesWithRunningOperations to reflect what it does
  • lxd/operations: tx.GetNodesWithOperations usage
  • lxd/state: Rename Context field to ShutdownCtx
  • lxd: State.ShutdownCtx usage
  • lxd/operations/operations: Don't remove DB record in done when LXD is shutting down
  • doc/authentication: mention ECDSA keys as recommend
  • test: Add manual refresh test
  • lxd/instance/drivers/qemu: Fix block devices
  • shared/network: remove CBC + SHA1 ciphersuites
  • shared/network: enable ChaCha20-Poly1305 Cipher Suites for TLS 1.2
  • shared/network: prefer AES-128 over AES-256
  • lxd/instance/drivers/driver/lxc: Remove storage volume DB record creation from lxcCreate
  • lxd/instance/drivers/driver/qemu: Remove storage volume DB record creation from qemuCreate
  • lxd/instance/instance/utils: Removes unused volumeConfig arg from Create
  • lxd/instance/instance/utils: Removes unused volumeConfig arg from CreateInternal
  • lxd/instance/drivers/load: Removes unused volumeConfig arg from create
  • lxd: CreateInternal usage
  • lxd/storage: Removes unused FillInstanceConfig
  • lxd/storage/backend/lxd: CreateInstance storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromImage storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceSnapshot storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromMigration storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromCopy storage volume DB records
  • lxd/instance: Remove volume settings copying from source in instanceCreateAsCopy
  • lxd/storage/backend/lxd: RefreshInstance storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromBackup storage volume DB records
  • lxd/storage/backend/lxd: Error quoting in UpdateInstance
  • lxd/storage/pool/interface: Update ImportCustomVolume signature
  • lxd/storage/backend/lxd: Update ImportCustomVolume with new signature
  • lxd/api/internal/recover: pool.ImportCustomVolume usage
  • lxd/storage/pool/interface: Update ImportInstance to accept pool volume info
  • lxd/storage/backend/mock: ImportInstance updated signature
  • lxd/storage/backend/mock: ImportCustomVolume updated signature
  • lxd/storage/backend/lxd: ImportInstance storage volume DB record management
  • lxd/api/internal/recover: pool.ImportInstance usage
  • lxd/instance/post: pool.ImportInstance usage
  • lxd/db/instances: Start using api.StatusErrorf http.StatusNotFound
  • lxd/db/storage/pools: Start using api.StatusErrorf http.StatusNotFound
  • test: Improve container_recover test to explicitly check for existence of storage DB records
  • lxd/storage/backend/lxd: No need to wrap errors from VolumeDBCreate
  • lxd/instance/test: Fix TestContainer_LoadFromDB to create storage volume record
  • global: Set TLS 1.3 baseline
  • gomod: Bump to 1.18
  • doc/requirements: Bump minimal requirements
  • github: Drop Go 1.17.x
  • lxd/device: Update to support netip
  • test/macaroon-identity: Reduce external dependencies
  • lxd/cluster: Remove legacy upgrade code
  • gomod: Update dependencies
  • Makefile: Update for Go 1.18
  • lxc/export: Fix help message
  • i18n: Update translation templates
  • Revert "lxd-agent: cleaner shutdown sequence"
  • api: cluster_ovn_chassis
  • doc/clustering: Add ovn-chassis role
  • lxd/db: Add ovn-chassis role
  • lxd/network/ovn: Handle ovn-chassis role
  • lxd/network: Add networkRestartOVN
  • lxd/daemon: Detect change in OVN chassis layout
  • shared/util: Adds generic HasKey function for checking if a map key exists
  • doc: fix typo
  • doc: whitespace changes only
  • doc: reordering content
  • doc: add some headings
  • doc: update network zones documentation
  • doc: updates from review
  • lxc/cluster: Make add easier to script
  • lxc/config_trust: Make add easier to script
  • i18n: Update translation templates
  • lxd/networks: Avoid needless OVN restart on startup
  • client/operations: Fix incorrect interpolation of % characters in errors
  • shared/util: Remove line wrap
  • lxd/db: Add OperationRemoveOrphanedOperations
  • lxd/images: Code style for error handling in pruneExpiredImagesInProject
  • lxd/images: Ensure full fingerprint is returned in imageDelete
  • lxd: Removes doDeleteImageFromPool to reduce DB queries loading pools
  • lxd/images: Contextual logging in autoUpdateImage
  • lxd/images: Log errors in distributeImage
  • lxd/images: Improve errors in distributeImage
  • lxd/images: Log old image fingerprint on DB delete error in autoUpdateImages
  • Revert "lxd/images: Remove old db entry after image refresh"
  • lxd/db/images: Switch to api.StatusErrorf in GetImage
  • lxd/db/images: Whitespace
  • lxd/images: Error improvements in autoUpdateImagesTask
  • lxd/images: Error and comment improvements in autoUpdateImages
  • lxd/images: Distribute refreshed image and delete old image record in imageRefresh
  • lxd/images: Only distribute images if there are >1 members in autoUpdateImages
  • lxd/operations/operations: Convert to contextual logging for operation remove warning
  • lxd/db/db/internal/test: Fix Test_ImageGet_for_missing_fingerprint
  • lxd/storage/backend/lxd: Fix existing image check for rsync in CreateInstanceFromMigration
  • test: Improve tests for image refresh
  • shared/network: require TLS 1.2+ if LXD_INSECURE_TLS
  • test: Improve clustering image refresh tests
  • test: Fix test_image_refresh to work with random mode
  • test: Extract pool driver from standalone pool for cluster image refresh tests
  • lxd/storage/load: Rename GetPoolByName to LoadByName
  • lxd: storagePools.LoadByName usage
  • lxd/storage/load: Renames GetPoolByInstance to LoadByInstance
  • lxd: storagePools.LoadByInstance usage
  • lxd/storage: Renames load.go to pool_load.go
  • lxd/instance/drivers/qmp: Add AddDevice
  • lxd/instance/drivers/qmp: Use AddDevice internally
  • lxd/instance/drivers: Use QMP to add USB devices
  • lxd/instance/drivers/qemu: Remove unused arguments
  • lxd/instance/drivers/templates: Remove qemuUSBDev
  • lxd/device/usb: Always set busnum and devnum
  • lxd/device/usb: Include bus and dev num in device name
  • lxd/device/usb: Populate runConf on stop
  • lxd/instance/driver/qemu: Support USB hotplugging
  • lxd/instance/drivers/qemu: Use fixed number of USB devices
  • lxd/devices/usb: Add USB device to runConf
  • lxd/instance/drivers/qemu: Implement DeviceEventHandler
  • lxd/device/usb: Support hotplugging
  • lxd/operations: Add function to remove orphaned operations
  • lxd/daemon: Remove orphaned operations periodically
  • lxd: Drop devPaths logic
  • Replace interface{} with any
  • doc: add link to multi-user video
  • doc/instances: Extend key column
  • doc/syscall-interception: Cover bpf and mount
  • api: container_syscall_intercept_sched_setscheduler
  • doc: Add security.syscalls.intercept.sched_setscheduler
  • doc/syscall-interception: Add sched_setscheduler
  • shared/instance: Add security.syscalls.intercept.sched_setscheduler
  • scripts/bash: security.syscalls.intercept.sched_setscheduler
  • lxd/seccomp: Add sched_setscheduler
  • lxd: intercept sched_setscheduler() system call
  • lxd/patches: Removes all patches applied since LXD 4.0.0
  • lxd/db: Removes functions used by removed patches
  • lxd/storage: Remove patches not needed since LXD 4.0.0
  • lxd/patches/utils: Removes file
  • lxd/patches: Removes unused functions
  • lxd/storage: Remove check for storage_api patch being applied
  • test: Update sql test to check for more recent patch
  • doc/storage: Adds lvm.thinpool_metadata_size
  • lxd/storage/drivers/driver/lvm/utils: Adds thinpoolMetadataSize arg to createDefaultThinPool
  • lxd/storage/pools/config: Legacy validation for lvm.thinpool_metadata_size
  • lxd/storage/drivers/driver/lvm: Adds lvm.thinpool_metadata_size support
  • lxd/storage/drivers/driver/lvm/utils: Don't round 0 or empty string in roundedSizeBytesString
  • scripts/bash/lxd-client: Adds lvm.thinpool_metadata_size to bash auto complete
  • api: Adds storage_lvm_thinpool_metadata_size API extension
  • test: Fix LVM quota size checks
  • test/includes: Adds LVM support to spawn_lxd_and_join_cluster
  • test: Remove LVM exclusion from test_clustering_image_refresh
  • test: Remove LVM exclusion from test_clustering_storage_single_node
  • test: Remove LVM exclusion from test_clustering_evacuation
  • test: Remove LVM exclusion from test_clustering_storage
  • client: Fix logger calls
  • lxd/db/query: Fix logger calls
  • lxd/device: Fix bad logger calls
  • shared/logging: Remove unused functions
  • shared/logger: Add Ctx
  • global: Switch to logger.Ctx
  • shared/logger: Port to logrus
  • lxd: Switch to using new logger
  • lxd-agent: Switch to using new logger
  • lxc: Switch to using new logger
  • shared/logging: Remove deprecated package
  • lxd/events: Port to logrus
  • lxc/monitor: Port to logrus
  • gomod: Drop log15
  • lxd: make sure we're operating relative to the correct pid namespace
  • client: More flexible server comparison
  • i18n: Update translations from weblate
  • lxd/storage/drivers: Properly use logger.Ctx
  • lxd/storage: Properly use logger.Ctx
  • shared/logger: Properly handle context
  • lxd/certificates: Check validty on upload/update
  • lxd/network/zone: Don't allow duplicate entries
  • lxd: Remove LegacyLocalDatabasePath
  • lxd: Removes LegacyGlobalDatabasePath
  • lxd: Remove legacyPatches
  • lxd: Remove legacyPatches from OpenNode
  • lxd: Don't return a pre-clustering dump from OpenNode
  • lxd/db/legacy: Removes file
  • lxd/db/db: Remove unused Begin
  • lxd/db: Remove schema.Hook from EnsureSchema
  • lxd/db/transaction: Removes unused Tx
  • tests: Remove database_update
  • lxd/cluster: Remove legacy upgrade logic
  • lxd/db: Rename ForLegacyPatches to DirectAccess
  • lxd/certificates: Require a minimum of 2048bit RSA
  • tests: Make certificate_edit use an EC cert
  • tests: Bump easy-rsa key to 4096
  • lxd/operations: Don't crash on missing state

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

LXD 5.0 LTS has been released

4th of April 2022

Introduction

The LXD team is very excited to announce the release of LXD 5.0 LTS!

This is our 4th LTS release and quite an exciting one for anyone coming from LXD 4.0 as it significantly steps up LXD's abilities, especially when operating in clustered environments.

The changelog below is split so that both users of LXD 4.24 and LXD 4.0 can see what we have in store for them.

As with all our other LTS releases, this one will be supported for 5 years (June 2027) and will receive a number of bugfix and security point releases over that time.

As for LXD 4.0, we'll be releasing one last bugfix release as 4.0.10 in the near future before we enter security-only maintenance mode for its remaining 3 years.

Enjoy!

Breaking changes

Changes in minimum requirements

As with any new LTS release, we've updated our minimum requirements to a set which we believe we can maintain for the next 5 years.

This is now:

  • Kernel version: 5.4
  • Go version: 1.18
  • LXC version: 4.0.x
  • QEMU version: 6.0

Additionally, we've updated LXD to require TLS 1.3 for all incoming and outgoing network connections.

Documentation: https://linuxcontainers.org/lxd/docs/master/requirements/

Changes in supported upgrade path

Up until now, LXD has been fully backward compatible and so would support directly upgrading LXD 0.1 straight to the very latest LXD release.

This became increasingly costly in the amount of code we had to keep around to handle data migration. This was also causing us to keep depending on old dependencies that have gone unmaintained for years and becoming a potential security risk.

As a result, LXD 5.0 was changed to only support upgrading from LXD 4.0 or higher.
Users coming from an earlier release will need to first upgrade to LXD 4.0.x prior to upgrading to LXD 5.0.

New features and highlights since LXD 4.24

Disk hot-plug for virtual machines

It's now possible to dynamically add and remove disk devices to virtual machines.
This is only supported with block volumes and can be achieve through editing the list of devices on the instance. The guest will see the new disk being plugged into the SCSI bus.

USB hot-plug for virtual machines

Similarly to disks, it's now possible to dynamically add and remove usb devices to virtual machines.
This again is achieved by editing the list of devices on the instance and will cause a simple USB hotplug event into the guest.

Startup with degraded networking

Following the degraded storage pool handling in LXD 4.24, we have now added the same feature but for networks.

This means that should a network be unable to start, for example because of a missing dependent device, LXD itself will no longer fail to start. Instead it will start as many of the instances as it can and will then start the remaining instances once the network can be started.

New ovn-chassis cluster member role

A new ovn-chassis cluster member role was added.
This is only relevant to clusters using OVN for networking. On such clusters, assigning this role allows restricting what servers will act as OVN chassis (effectively routers).

When none have the role (default), then they all participate as usual. As soon as the role is assigned to one or more server, those will start acting as the OVN chassis with the others disabling their chassis feature.

This allows a better balance of network and CPU resources on a cluster and also allows for disabling the OVN chassis feature on less powerful or degraded systems.

Optimized refresh of storage volumes

For a few releases now, LXD has supported refreshing existing instances or custom storage volumes.

The way this would work is by first performing a normal copy of the instance or volume and then refreshing that copy. The initial copy would use the optimized migration logic like zfs or btrfs send/receive while the later refresh logic would use simple rsync.

This approach however really doesn't work well with virtual machines where rsync isn't of much use and can also lead to excessive transfer sizes for what should otherwise be small changes between snapshots.

To improve that, LXD will now use the optimized migration logic for refreshes too. When both source and target server use the same storage pool and a supported LXD version, they will automatically be using snapshots and send/receive rather than rsync.

Reworked cloud-init instance-id logic

Ever since LXD has supported cloud-init, it has used the instance name as the cloud-init instance-id.
This meant that the only thing which would trigger a cloud-init re-run would be the instance changing name, either through an instance rename or because of it being copied.

To better match the behavior seen in other cloud environments, LXD now instead uses a UUID as the instance-id and will reset that UUID on instance renames, instance copies but also on any changes to the cloud-init configuration keys (user-data, vendor-data and network-config) as well as changes to the list of network interfaces.

sched_setscheduler system call interception

LXD now supports intercepting the sched_setscheduler system call.
This allows unprivileged LXD containers to change process priorities beyond what's allowed for unpriivleged users. This was motivated by Android containers needing advanced control on process priorities.

lvm.thinpool_metadata_size storage pool option

A new LVM storage pool option was added to control the size of the thinpool metadata size.
When not set, LVM is allowed to figure out an appropriate value.

Reworked lxc network info

lxc network info was updated to cover a variety of additional network information.
This includes:

  • Bond information
  • Bridge information
  • VLAN information
  • OVN network information (HA chassis)

Here's an example for a bridge:

stgraber@castiana:~$ lxc network info lxdbr0
Name: lxdbr0
MAC address: 00:16:3e:d6:0a:4c
MTU: 1500
State: up
Type: broadcast

IP addresses:
  inet»·10.128.192.1/24 (global)
  inet6»fd42:ae5f:98ab:a816::1/64 (global)
  inet6»fe80::216:3eff:fed6:a4c/64 (link)

Network usage:
  Bytes received: 207.51kB
  Bytes sent: 9.02MB
  Packets received: 2667
  Packets sent: 2967

Bridge:
  ID: 8000.00163ed60a4c
  STP: false
  Forward delay: 1500
  Default VLAN ID: 1
  VLAN filtering: true
  Upper devices: tapbb4affbb, vethb8985ecc

Highlights for those coming from LXD 4.0

It's very hard to condense everything we've been doing for the past two years into something that can be read in just a few minutes, but LXD grew a lot since its last LTS.
Virtual machines are effectively at feature parity with containers now, a lot of networking options were added and so did clustering and project features.

Virtual Machines

  • vTPM support
  • Arbitrary PCI device passthrough
  • Live migration (and stateful snapshot/stop)
  • Network device hotplug
  • Block custom volume

Networking

  • Overlay networking with OVN
  • Network ACLs for bridge and OVN networks
  • Network forwards (floating IPs)
  • BGP announcement of network routes and routed IP addresses
  • Network peering (OVN)
  • Network zones (DNS)
  • Network acceleration (SR-IOV)

Storage

  • Instance and volume refreshes
  • Block custom storage volumes

Projects

  • Resource limits
  • Restricted cluster targets
  • Restricted certificates
  • Networks (OVN)
  • Usage report
  • Desktop integration

Migration

  • Reworked migration tool (lxd-migrate) with support for both containers and VMs

Clustering

  • Failure domains to properly balance database roles
  • Easy cluster evacuation support
  • Server groups for targeting and restrictions
  • Instance metrics (OpenMetrics) with Grafana dashboard

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • shared/util/linux: only complain on xattr size increase
  • fix typo
  • lxc/file: Update the description in lxc file mount
  • i18n: Update translation templates
  • sphinx: Don't pin dependencies
  • lxd/db: Support for expiry_date in GetLocalStoragePoolVolumeSnapshotsWithType
  • lxd: Support for expiry date in storagePoolVolumeSnapshotsTypeGet
  • lxd: Warn if exec control connection disconnects prematurely
  • lxd/cluster/heartbeat: Ensure g.Cluster is available
  • client/lxd: Add 5 second handshake timeout to websocket.Dialer
  • lxd: Add 5 second handshake timeout to websocket.Dialer
  • test: Add 5 second handshake timeout to websocket.Dialer
  • lxd/db: Add snapshot id to return value in GetExpiredStorageVolumeSnapshots
  • lxd/storage: Prevent concurent snapshot for a volume
  • lxd: Prevent concurent snapshot expiry for a volume
  • lxd/instance_sftp: Handle projects on forward
  • client: Use DialTLS for SFTP connections
  • client: Replace addMacaroonHeaders with addClientHeaders function
  • client/lxd: Removes duplicated header setting in rawQuery
  • client: Replaces r.httpHost with r.httpBaseURL from net/url package
  • test: Fix container devices nic bridged filtering tests on recent versions of nftables
  • client/lxd/instances: Avoids connecting twice in rawSFTPConn
  • test: Update file manipulation tests to use projects
  • lxd/instance: Improve var naming and comments related to pruneExpiredInstanceSnapshots
  • lxd/storage/volumes/snapshot: Improve var naming and comments related to pruneExpiredCustomVolumeSnapshots
  • lxd/instance/drivers/driver/lxc: Create log path for forkfile if missing in FileSFTPConn
  • lxd/instance/drivers/driver/lxc: Clean up forkfile.pid on exit
  • lxd/cluster/upgrade: Improve logging in triggerUpdate
  • lxc/network: Extend coverage of 'lxc network info'
  • i18n: Update translation templates
  • lxc/file: Use random auth creds if --no-auth and --auth-user flags not specified
  • test: Update SSH SFTP tests
  • i18n: Update translation templates
  • tests/includes: Adds util to wait for DAD to complete.
  • tests: Uses wait_for_dad util instead of sleep.
  • doc: restrict docutils version to fix parsing of notes
  • lxd/firewall: Accept slices of IPv4 and IPv6 networks for bridge filter.
  • lxd/device: Adds function to calculate allowed IPv4 and IPv6 subnets.
  • lxd/device: Use allowedIPNets to set up the firewall rules.
  • lxd/bgp: Handle multiple matches in RemovePrefix
  • lxd/bgp: Fix issue with modifying paths list while iterating
  • lxd/bgp: Don't fail on missing path
  • doc: add an extension for including YouTube links
  • doc: add related YouTube links
  • lxd/daemon: Adds kernelVersion to daemon struct
  • lxd/state/state: Adds KernelVersion field to State structure
  • lxd/instance/drivers/driver/qemu: Use d.state.KernelVersion
  • lxd/instance/drivers/driver/qemu: Only enable io_uring support in kernels <= 5.13.0
  • lxd/cgroup/abstractions: Wrap parse errors to give context of problematic value
  • lxd/storage/utils: Prevent white space in storage pool names
  • doc: update YouTube extension to be ignored by OpenGraph
  • doc: open YouTube links in a new window
  • lxd/storage/drivers: Add ErrSnapshotDoesNotMatchIncrementalSource
  • lxd/storage/drivers/zfs: Support optimized refresh
  • lxd/storage/drivers/btrfs: Add volumeSnapshotsSorted
  • lxd/storage/drivers/btrfs: Support optimized refresh
  • lxd/migration: Add new zfs feature to protobuf
  • lxd/migration: Add new zfs feature
  • lxd/migration: Add Refresh option to source
  • lxd/storage/drivers/zfs: Add migration header structs and functions
  • lxd/storage: Indicate to sender to use incremental streams
  • lxd/storage/drivers/zfs: Support optimized refresh for migration
  • lxd/migration: Add header_subvolume_uuids to protobuf
  • lxd/storage/drivers/btrfs: Add UUIDs to subvolume info
  • lxd/migration: Add BtrfsFeatureSubvolumeUUIDs
  • lxd/storage/drivers/btrfs: Add getSubvolume*UUID functions
  • lxd/storage/drivers/btrfs: Support optimized refresh for migration
  • lxd/migration: Consider refresh and common features
  • lxd/instance/lxc: Handle long forkfile socket paths
  • lxd/cluster: Don't mask lack of cluster response
  • lxd/device: Use allowedIPNets when clearing firewall rules.
  • lxd/firewall/drivers: Fix typo in comment.
  • lxd/firewall/drivers: Adds subnetMask and subnetHexPrefix utils.
  • lxd/firewall/drivers: Update ebtable and ip6table rule generation.
  • lxd/firewall/drivers: Update ebtables rule matching logic.
  • tests: Ensure firewall does not drop packets from within ipv4.routes.
  • tests: Corrects host IP in IPv6 tests.
  • tests: Change address of ipv6 network interface.
  • tests: Tests ipv6.routes and ipv6.routes.external rules.
  • lxd/firewall/drivers: Updates nftables bridge filter to accept multple subnets.
  • lxd/firewall/drivers: Remove FilterAllIPv{n} consts.
  • tests: Updates tests for new nftables rules.
  • lxc/file: Ensure sshfs closes on exit request
  • lxd/response/upgrade: Adds Upgrade function to upgrade an HTTP connection
  • lxd-agent/sftp: response.Upgrade usage
  • lxd/cluster/gateway: response.Upgrade usage
  • lxd/instance/sftp: response.Upgrade usage
  • i18n: Update translations from weblate
  • lxd/storage: Renames setupStorageDriver to storageStartup
  • lxd: storageStartup usage
  • lxd/storage: Comment consistency with networkStartup
  • lxd/networks: Corrects comment copy/paste error
  • lxd/device/config/devices: More efficient allocations
  • lxd/device/device/interface: Adds PreStartCheck
  • lxd/device/device/common: No-op PreStartCheck
  • lxd/device/disk: Adds PreStartCheck function to check if storage pool is available
  • lxd/device/disk: Included wrapped error in diskSourceNotFoundError
  • lxd/instance/drivers: Expand start up validation to check for root disk storage pool availability
  • lxd/storage/load: Replaces UnavailablePools with IsAvailable
  • lxd/storage/errors: Removes unused ErrPoolUnavailable error var
  • lxd/storage/backend/lxd: IsAvailable usage
  • lxd/storage/backend/lxd: Replaces use of ErrPoolUnavailable with generic http.StatusServiceUnavailable
  • lxd/instances: Prevent concurrent running of instancesStart
  • lxd/instances: Updates instancesStart to detect http.StatusServiceUnavailable error class
  • lxd/instance/drivers: Call device.PreStartcheck() from deviceStart()
  • lxd/instance/drivers: Use device rather than devName in contextual logging
  • lxd/instance/drivers/driver/qemu: Log project and instance name in getAgentMetrics
  • lxd/storage: Increase log warnings to errors in storageStartup
  • shared/api: Add Project to ImageExportPost
  • client: Support for target project when copy image with push mode
  • lxd: Support for target project when copy image with push mode
  • lxc/image: Add target-project flag to 'image copy' command
  • api: images_target_project
  • tests: Add tests for copying image between projects
  • i18n: Update translation templates
  • doc/instances: Add volatile.cloud-init.instance-id
  • doc/dev-lxd: Update instance-id to UUID
  • shared/instance: Add volatile.cloud-init.instance-id
  • lxd/devlxd: Use volatile.cloud-init.instance-id
  • lxd/instance: Implement volatile.cloud-init.instance-id
  • lxd-agent: Add cloud-init-id field
  • lxd/instance/qemu: Use volatile.cloud-init.instance-id
  • lxd/instance: Add resetInstanceID
  • lxd/instance: Reset instance-id on rename
  • lxd/instance: Reset the instance-id on relevant config changes
  • tests: Add test for instance-id
  • lxd/devlxd: Fix argument naming
  • lxd/instance: Add CloudInitID
  • lxd/device/device/interface: Adds Name and Config to Device interface
  • lxd/instance/drivers/driver/lxc: Update deviceLoad to just return Device
  • lxd/instance/drivers/driver/lxc: Updates lxcCreate to use deviceLoad and deviceAdd
  • lxd/instance/drivers/driver/lxc: Updated usage of deviceLoad
  • lxd/instance/drivers/driver/lxc: Updates deviceAdd to accept a device
  • lxd/instance/drivers/driver/lxc: Updates deviceStart to accept a device
  • lxd/instance/drivers/driver/lxc: Adds Adding device log message
  • lxd/instance/drivers/driver/lxc: Updates startCommon to use deviceLoad and deviceStart separately
  • lxd/instance/drivers/driver/lxc: Updates updateDevices to use deviceLoad and deviceAdd/deviceUpdate separately
  • lxd/instance/drivers/driver/qemu: Update deviceLoad to just return Device
  • lxd/instance/drivers/driver/qemu: d.deviceLoad usage
  • lxd/instance/drivers/driver/qemu: Adds Adding device log message
  • lxd/instance/drivers/driver/qemu: Adds Removing device log message
  • lxd/instance/drivers/driver/qemu: Update deviceAdd to accept a device
  • lxd/instance/drivers/driver/qemu: Updates qemuCreate to use deviceLoad and deviceAdd
  • lxd/instance/drivers/driver/qemu: Updates updateDevices to use deviceLoad and deviceAdd/deviceUpdate separately
  • lxd/isntance/drivers/driver/qemu: Updates deviceStart to accept a device
  • lxd/instance/drivers/driver/qemu: deviceStart usage
  • lxd/instance/drivers: Load all devices before starting them during instance start
  • lxd/instance/drivers: Add pre-start device checks when starting instance devices
  • lxd/instance/drivers/driver/lxc: Update deviceStop to accept a device
  • lxd/instance/drivers/driver/lxc: Update startCommon to pass device to d.deviceStop
  • lxd/instance/drivers/driver/lxc: Updates cleanupDevices to pass device to d.deviceStop
  • lxd/instance/drivers/driver/lxc: Updates updateDevices to pass device to d.deviceStop
  • lxd/instance/drivers/driver/qemu: Updates deviceStop to accept device
  • lxd/instance/drivers/driver/qemu: Update Start to pass device to deviceStop
  • lxd/instance/drivers/driver/qemu: Updates updateDevices to pass device to deviceStop
  • lxd/instance/drivers/driver/qemu: Updates cleanupDevices to pass device to deviceStop
  • lxd/response/smart: Adds IsNotFoundError function
  • lxd: Replace checks for various not found errors with response.IsNotFound() usage
  • lxd/instance: Move VMAgentData to instancetype
  • lxc/utils/table: add compact table
  • i18n: Update translation templates
  • shared/api/network: Adds NetworkStatusUnavailable constant
  • lxd/db/warnings/types: Rename WarningNetworkStartupFailure to WarningNetworkUnvailable
  • lxd/network/network/load: Adds IsAvailable and function
  • lxd/network/driver/common: Adds setAvailable and setUnavailable functions
  • lxd/network/driver/common: Updates LocalStatus to return api.NetworkStatusUnavailable if unavailable.
  • lxd/network/network/interface: Adds Locations
  • lxd/network/driver/common: Implements Locations
  • lxd/network/driver/bridge: Updates Start to set availability
  • lxd/network/driver/bridge: Remove warning management from driver
  • lxd/network/driver/macvlan: Updates Start to set availability
  • lxd/network/driver/sriov: Updates Start to set availability
  • lxd/network/driver/physical: Check parent exists when starting
  • lxd/network/driver/physical: Updates Start to set availability
  • lxd/network/driver/physical: Remove warning management from driver
  • lxd/network/driver/physical: Remove duplicate start log
  • lxd/network/driver/ovn: Updates Start to set availability
  • lxd/network/driver/ovn: Refuse to start if uplink network is unavailable
  • lxd/network/driver/ovn: Remove warning management from driver
  • lxd/networks: Updates networkStartup to retry starting degraded networks in the background
  • lxd/networks: Updates doNetworkGet to accept an allNodes argument
  • lxd/networks: Updates networksGet to improve naming, comments and doNetworkGet usage
  • lxd/networks: Updates networkGet to improve naming, comments and doNetworkGet usage
  • lxc/network: Always add State column to network list output
  • lxd/device/nic: Adds PreStartCheck function for NICs with managed parent network support
  • lxd/network/driver/common: Delete network from unavailableNetworks on delete
  • lxd/storage: Update comment in storageStartup
  • lxd/network/driver/common: Delete warnings on delete
  • lxd/network/driver/bridge: Remove duplicated warnings delete step
  • lxd/network/network/load: Adds PatchPreCheck function
  • lxd/patches: Adds patchPostNetworks stage
  • lxd/dameon: Adds hook for patchPostNetworks stage
  • lxd/patches: Adds patchGenericNetwork function and updates network patches to use it
  • lxd/storage/backend/lxd: Replaces bespoke revert with revert package
  • shared/api: Adds AllowInconsistent to InstancePost.
  • client: Pass allowInconsistent into instance post request.
  • lxd/instance_post: Use allowInconsistent value in migrations.
  • doc: Updates API spec.
  • doc/environment: Adds LXD_IDMAPPED_MOUNTS_DISABLE env var
  • lxd/daemon: Detect LXD_IDMAPPED_MOUNTS_DISABLE env var and disable idmapped mount support
  • lxd/storage/utils: Adds VolumeDBDelete function
  • lxd/storage/backend/lxd: Replace usage of RemoveStoragePoolVolume with VolumeDBDelete
  • lxd/storage/utils: Reduce arguments of VolumeDBCreate in style of VolumeDBDelete
  • lxd/storage/backend/lxd: VolumeDBCreate usage
  • doc: add an extension for adding Discourse links
  • doc: add links to tutorials on Discourse
  • doc: add links to specifications on Discourse
  • lxd/instance/drivers: Moves StoragePool and getStoragePool to common
  • lxd/network/ovn: Don't use HostPathFollow on OVN configs
  • lxd-agent: cleaner shutdown sequence
  • lxd/networks: Don't keep trying to start removed degraded networks
  • lxd/storage/load: Update GetPoolByInstance to use instance's StoragePool() function
  • lxd/storage/backend/lxd: Ensure we use errors.Is when checking for drivers.ErrNotSupported
  • lxd/instance: Avoid extra query when copying instance snapshot's creation time
  • lxd/storage/utils: Adds VolumeDBGet function
  • lxd/storage/backend/lxd: Renames and reworks instanceRootVolumeConfig into instanceEffectiveRootVolumeConfig
  • lxd/storage/backend/lxd: b.instanceEffectiveRootVolumeConfig usage
  • lxd/storage/utils: Updates comment on VolumeDBCreate
  • lxd/storage/pool/interface: Rename srcVolOnly to snapshots for RefreshCustomVolume and CreateCustomVolumeFromCopy
  • lxd/storage/backend: Update RefreshCustomVolume and CreateCustomVolumeFromCopy to use snapshots arg
  • lxd/storage/volumes: pool.CreateCustomVolumeFromCopy and pool.RefreshCustomVolume usage
  • lxd/storage/utils: Renames and reworks VolumeSnapshotsGet to VolumeDBSnapshotsGet
  • lxd/migrate/storage/volumes: storagePools.VolumeDBSnapshotsGet usage
  • lxd/storage/backend/lxd: VolumeDBSnapshotsGet usage
  • lxd/storage/backend/lxd: Allocate snapshotNames more efficiently in CreateCustomVolumeFromCopy
  • lxd/migrate/instance: Don't ignore existing snapshot instances on migrate receiver
  • lxd/storage/backend/lxd: Comment improvements CreateCustomVolumeFromCopy
  • grafana: Add missing datasource field
  • github: Add Go 1.18
  • doc/clustering: Make more space in table
  • doc/clustering: Remove condition column
  • doc/clustering: Add section about roles
  • lxd/network/ovn: Fix typo
  • lxd/network/ovn: Fix bad comment
  • lxd/api_internal: Sort endpoints
  • doc: rename extension file
  • doc: rename stylesheet classes for extension
  • doc: update the extension to allow for general related links
  • doc: add related links to the documentation
  • lxd/storage/utils: Updates VolumeDBSnapshotsGet to accept drivers.VolumeType arg
  • lxd/storage/backend/lxd: VolumeDBSnapshotsGet usage
  • lxd/migrate/storage/volumes: Updates storagePools.VolumeDBSnapshotsGet usage
  • lxd/db/storage/volumes: Updates GetLocalStoragePoolVolumeSnapshotsWithType to populate ID and Config fields
  • lxd/instance/qemu: Fix regression in cdrom handling
  • api: Adds cluster_allow_inconsistent_copy extension.
  • lxd/storage/backend/lxd: Use more efficient allocations in GetVolume
  • lxd/storage/utils: Removes unnecessary duplicate check in VolumeDBCreate
  • lxd/storage/drivers/volume: Adds VolumeType.IsInstance function
  • lxd/storage/backend/lxd: Define instanceDiskVolumeEffectiveFields
  • lxd/storage/utils: Check that instanceDiskVolumeEffectiveFields are not used for instance volumes DB records
  • lxd/storage/backend/lxd: Reworks instanceEffectiveRootVolumeConfig into instanceEffectiveRootVolume
  • lxd/storage/backend/lxd: b.instanceEffectiveRootVolume usage
  • lxd/instance/drivers/qmp: Support adding and removing block devices
  • lxd/instance/drivers/qemu: Use RemoveDevice for NIC
  • lxd/device/disk: Support hot-plugging
  • lxd/instance/drivers/qemu: Remove unnecessary check
  • lxd/instance/drivers/qemu: Add qemuBlockDevIDPrefix
  • lxd/instance/drivers/qemu: Add deviceAttachBlockDevice
  • lxd/instance/drivers/qemu: Add deviceDetachBlockDevice
  • lxd/instance/drivers/qmp: Add FD set commands
  • lxd/device/config: Put root device first
  • lxd/instance/drivers/qemu: Enable hotplugging raw disks
  • lxd/instance/drivers/qemu: Drop string builder arg
  • lxd/device: Validate disk device name length
  • lxd/instance/drivers/qemu: Remove qemuDrive template
  • lxd/instance/drivers/qemu: Disallow hotplugging directories
  • lxd/images: Remove old db entry after image refresh
  • lxd/operations: Remove all operations for the member in waitForOperations
  • lxd/daemon: waitForOperations usage
  • shared/network: Improve error returned from RFC3493Dialer
  • lxd/operations: Updates operationsGet to exclude offline members like operationsGetByType
  • lxd/operations: Aligns operationsGetByType with operationsGet
  • lxd/db/operations: Renames GetNodesWithRunningOperations to reflect what it does
  • lxd/operations: tx.GetNodesWithOperations usage
  • lxd/state: Rename Context field to ShutdownCtx
  • lxd: State.ShutdownCtx usage
  • lxd/operations/operations: Don't remove DB record in done when LXD is shutting down
  • doc/authentication: mention ECDSA keys as recommend
  • test: Add manual refresh test
  • lxd/instance/drivers/qemu: Fix block devices
  • shared/network: remove CBC + SHA1 ciphersuites
  • shared/network: enable ChaCha20-Poly1305 Cipher Suites for TLS 1.2
  • shared/network: prefer AES-128 over AES-256
  • lxd/instance/drivers/driver/lxc: Remove storage volume DB record creation from lxcCreate
  • lxd/instance/drivers/driver/qemu: Remove storage volume DB record creation from qemuCreate
  • lxd/instance/instance/utils: Removes unused volumeConfig arg from Create
  • lxd/instance/instance/utils: Removes unused volumeConfig arg from CreateInternal
  • lxd/instance/drivers/load: Removes unused volumeConfig arg from create
  • lxd: CreateInternal usage
  • lxd/storage: Removes unused FillInstanceConfig
  • lxd/storage/backend/lxd: CreateInstance storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromImage storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceSnapshot storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromMigration storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromCopy storage volume DB records
  • lxd/instance: Remove volume settings copying from source in instanceCreateAsCopy
  • lxd/storage/backend/lxd: RefreshInstance storage volume DB records
  • lxd/storage/backend/lxd: CreateInstanceFromBackup storage volume DB records
  • lxd/storage/backend/lxd: Error quoting in UpdateInstance
  • lxd/storage/pool/interface: Update ImportCustomVolume signature
  • lxd/storage/backend/lxd: Update ImportCustomVolume with new signature
  • lxd/api/internal/recover: pool.ImportCustomVolume usage
  • lxd/storage/pool/interface: Update ImportInstance to accept pool volume info
  • lxd/storage/backend/mock: ImportInstance updated signature
  • lxd/storage/backend/mock: ImportCustomVolume updated signature
  • lxd/storage/backend/lxd: ImportInstance storage volume DB record management
  • lxd/api/internal/recover: pool.ImportInstance usage
  • lxd/instance/post: pool.ImportInstance usage
  • lxd/db/instances: Start using api.StatusErrorf http.StatusNotFound
  • lxd/db/storage/pools: Start using api.StatusErrorf http.StatusNotFound
  • test: Improve container_recover test to explicitly check for existence of storage DB records
  • lxd/storage/backend/lxd: No need to wrap errors from VolumeDBCreate
  • lxd/instance/test: Fix TestContainer_LoadFromDB to create storage volume record
  • global: Set TLS 1.3 baseline
  • gomod: Bump to 1.18
  • doc/requirements: Bump minimal requirements
  • github: Drop Go 1.17.x
  • lxd/device: Update to support netip
  • test/macaroon-identity: Reduce external dependencies
  • lxd/cluster: Remove legacy upgrade code
  • gomod: Update dependencies
  • Makefile: Update for Go 1.18
  • lxc/export: Fix help message
  • i18n: Update translation templates
  • Revert "lxd-agent: cleaner shutdown sequence"
  • api: cluster_ovn_chassis
  • doc/clustering: Add ovn-chassis role
  • lxd/db: Add ovn-chassis role
  • lxd/network/ovn: Handle ovn-chassis role
  • lxd/network: Add networkRestartOVN
  • lxd/daemon: Detect change in OVN chassis layout
  • shared/util: Adds generic HasKey function for checking if a map key exists
  • doc: fix typo
  • doc: whitespace changes only
  • doc: reordering content
  • doc: add some headings
  • doc: update network zones documentation
  • doc: updates from review
  • lxc/cluster: Make add easier to script
  • lxc/config_trust: Make add easier to script
  • i18n: Update translation templates
  • lxd/networks: Avoid needless OVN restart on startup
  • client/operations: Fix incorrect interpolation of % characters in errors
  • shared/util: Remove line wrap
  • lxd/db: Add OperationRemoveOrphanedOperations
  • lxd/images: Code style for error handling in pruneExpiredImagesInProject
  • lxd/images: Ensure full fingerprint is returned in imageDelete
  • lxd: Removes doDeleteImageFromPool to reduce DB queries loading pools
  • lxd/images: Contextual logging in autoUpdateImage
  • lxd/images: Log errors in distributeImage
  • lxd/images: Improve errors in distributeImage
  • lxd/images: Log old image fingerprint on DB delete error in autoUpdateImages
  • Revert "lxd/images: Remove old db entry after image refresh"
  • lxd/db/images: Switch to api.StatusErrorf in GetImage
  • lxd/db/images: Whitespace
  • lxd/images: Error improvements in autoUpdateImagesTask
  • lxd/images: Error and comment improvements in autoUpdateImages
  • lxd/images: Distribute refreshed image and delete old image record in imageRefresh
  • lxd/images: Only distribute images if there are >1 members in autoUpdateImages
  • lxd/operations/operations: Convert to contextual logging for operation remove warning
  • lxd/db/db/internal/test: Fix Test_ImageGet_for_missing_fingerprint
  • lxd/storage/backend/lxd: Fix existing image check for rsync in CreateInstanceFromMigration
  • test: Improve tests for image refresh
  • shared/network: require TLS 1.2+ if LXD_INSECURE_TLS
  • test: Improve clustering image refresh tests
  • test: Fix test_image_refresh to work with random mode
  • test: Extract pool driver from standalone pool for cluster image refresh tests
  • lxd/storage/load: Rename GetPoolByName to LoadByName
  • lxd: storagePools.LoadByName usage
  • lxd/storage/load: Renames GetPoolByInstance to LoadByInstance
  • lxd: storagePools.LoadByInstance usage
  • lxd/storage: Renames load.go to pool_load.go
  • lxd/instance/drivers/qmp: Add AddDevice
  • lxd/instance/drivers/qmp: Use AddDevice internally
  • lxd/instance/drivers: Use QMP to add USB devices
  • lxd/instance/drivers/qemu: Remove unused arguments
  • lxd/instance/drivers/templates: Remove qemuUSBDev
  • lxd/device/usb: Always set busnum and devnum
  • lxd/device/usb: Include bus and dev num in device name
  • lxd/device/usb: Populate runConf on stop
  • lxd/instance/driver/qemu: Support USB hotplugging
  • lxd/instance/drivers/qemu: Use fixed number of USB devices
  • lxd/devices/usb: Add USB device to runConf
  • lxd/instance/drivers/qemu: Implement DeviceEventHandler
  • lxd/device/usb: Support hotplugging
  • lxd/operations: Add function to remove orphaned operations
  • lxd/daemon: Remove orphaned operations periodically
  • lxd: Drop devPaths logic
  • Replace interface{} with any
  • doc: add link to multi-user video
  • doc/instances: Extend key column
  • doc/syscall-interception: Cover bpf and mount
  • api: container_syscall_intercept_sched_setscheduler
  • doc: Add security.syscalls.intercept.sched_setscheduler
  • doc/syscall-interception: Add sched_setscheduler
  • shared/instance: Add security.syscalls.intercept.sched_setscheduler
  • scripts/bash: security.syscalls.intercept.sched_setscheduler
  • lxd/seccomp: Add sched_setscheduler
  • lxd: intercept sched_setscheduler() system call
  • lxd/patches: Removes all patches applied since LXD 4.0.0
  • lxd/db: Removes functions used by removed patches
  • lxd/storage: Remove patches not needed since LXD 4.0.0
  • lxd/patches/utils: Removes file
  • lxd/patches: Removes unused functions
  • lxd/storage: Remove check for storage_api patch being applied
  • test: Update sql test to check for more recent patch
  • doc/storage: Adds lvm.thinpool_metadata_size
  • lxd/storage/drivers/driver/lvm/utils: Adds thinpoolMetadataSize arg to createDefaultThinPool
  • lxd/storage/pools/config: Legacy validation for lvm.thinpool_metadata_size
  • lxd/storage/drivers/driver/lvm: Adds lvm.thinpool_metadata_size support
  • lxd/storage/drivers/driver/lvm/utils: Don't round 0 or empty string in roundedSizeBytesString
  • scripts/bash/lxd-client: Adds lvm.thinpool_metadata_size to bash auto complete
  • api: Adds storage_lvm_thinpool_metadata_size API extension
  • test: Fix LVM quota size checks
  • test/includes: Adds LVM support to spawn_lxd_and_join_cluster
  • test: Remove LVM exclusion from test_clustering_image_refresh
  • test: Remove LVM exclusion from test_clustering_storage_single_node
  • test: Remove LVM exclusion from test_clustering_evacuation
  • test: Remove LVM exclusion from test_clustering_storage
  • client: Fix logger calls
  • lxd/db/query: Fix logger calls
  • lxd/device: Fix bad logger calls
  • shared/logging: Remove unused functions
  • shared/logger: Add Ctx
  • global: Switch to logger.Ctx
  • shared/logger: Port to logrus
  • lxd: Switch to using new logger
  • lxd-agent: Switch to using new logger
  • lxc: Switch to using new logger
  • shared/logging: Remove deprecated package
  • lxd/events: Port to logrus
  • lxc/monitor: Port to logrus
  • gomod: Drop log15
  • lxd: make sure we're operating relative to the correct pid namespace
  • client: More flexible server comparison
  • i18n: Update translations from weblate
  • lxd/storage/drivers: Properly use logger.Ctx
  • lxd/storage: Properly use logger.Ctx
  • shared/logger: Properly handle context
  • lxd/certificates: Check validty on upload/update
  • lxd/network/zone: Don't allow duplicate entries
  • lxd: Remove LegacyLocalDatabasePath
  • lxd: Removes LegacyGlobalDatabasePath
  • lxd: Remove legacyPatches
  • lxd: Remove legacyPatches from OpenNode
  • lxd: Don't return a pre-clustering dump from OpenNode
  • lxd/db/legacy: Removes file
  • lxd/db/db: Remove unused Begin
  • lxd/db: Remove schema.Hook from EnsureSchema
  • lxd/db/transaction: Removes unused Tx
  • tests: Remove database_update
  • lxd/cluster: Remove legacy upgrade logic
  • lxd/db: Rename ForLegacyPatches to DirectAccess
  • lxd/certificates: Require a minimum of 2048bit RSA
  • tests: Make certificate_edit use an EC cert
  • tests: Bump easy-rsa key to 4096
  • lxd/operations: Don't crash on missing state

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

LXD 4.24 has been released

14th of March 2022

Introduction

The LXD team is very excited to announce the release of LXD 4.24!

This should be the last release of the 4.x series with our next release being LXD 5.0 LTS.

Enjoy!

New features and highlights

lxc file mount and new files API

LXD now offers a completely new file API. This is internally based on a native Go implementation of the SFTP protocol and is both directly available through GET /1.0/instances/NAME/sftp and was retrofited to handle our existing files API.

The result is significantly faster file operations, especially when made in parallel or in fast succession. Much reduced footprint thanks to not having to spawn a sub-process for every request nor having to ship around the files being accessed/retrieved.

The new API also makes integrating with sshfs possible which in turn gives us the new lxc file mount command allowing mounting any instance into a local path on the client.

stgraber@dakara:~$ mkdir netbox01
stgraber@dakara:~$ lxc file mount s-dcmtl-cluster:netbox01/ netbox01/
sshfs mounting "netbox01/" on "netbox01"
Press ctrl+c to finish

stgraber@dakara:~$ ls -lh netbox01/
total 76K
lrwxrwxrwx 1 root   root       7 Mar  9 02:45 bin -> usr/bin
drwxr-xr-x 1 root   root    4.0K Apr 15  2020 boot
drwxr-xr-x 1 root   root     500 Mar 10 14:53 dev
drwxr-xr-x 1 root   root    4.0K Mar 10 12:17 etc
drwxr-xr-x 1 root   root    4.0K Mar  9 18:31 home
lrwxrwxrwx 1 root   root       7 Mar  9 02:45 lib -> usr/lib
lrwxrwxrwx 1 root   root       9 Mar  9 02:45 lib32 -> usr/lib32
lrwxrwxrwx 1 root   root       9 Mar  9 02:45 lib64 -> usr/lib64
lrwxrwxrwx 1 root   root      10 Mar  9 02:45 libx32 -> usr/libx32
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 media
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 mnt
drwxr-xr-x 1 root   root    4.0K Mar  9 19:09 opt
dr-xr-xr-x 1 nobody nogroup    0 Mar 10 14:53 proc
drwx------ 1 root   root    4.0K Mar 10 17:19 root
drwxr-xr-x 1 root   root     400 Mar 10 14:53 run
lrwxrwxrwx 1 root   root       8 Mar  9 02:45 sbin -> usr/sbin
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 srv
dr-xr-xr-x 1 nobody nogroup    0 Mar 10 14:53 sys
drwxrwxrwt 1 root   root    4.0K Mar 13 22:30 tmp
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 usr
drwxr-xr-x 1 root   root    4.0K Mar  9 02:46 var

Cluster event hub role

LXD uses an event API to track the progress of operations as well as provide easy ways to monitor the lifecycle of instances across the entire cluster.

By default, this works as a full mesh where each LXD server is connected to all others, receiving all their events and broadcast all of its local events to all others.

When dealing with larger clusters, this can lead to quite a few connections and network traffic. To improve this, we have now introduced a new event-hub role which can be assigned to at least two cluster members. When set, the event handling will switch from the default full-mesh mode to the new hub mode.

stgraber@dakara:~$ lxc cluster list
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
|   NAME   |                 URL                 |      ROLES       | ARCHITECTURE | FAILURE DOMAIN |        DESCRIPTION        | STATE  |      MESSAGE      |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| asuras   | https://[2602:fc62:b:100::200]:8443 |                  | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| athos    | https://[2602:fc62:b:100::204]:8443 | database-standby | x86_64       | athos          | Intel Xeon E5-2695v2 (2x) | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| celestis | https://[2602:fc62:b:100::206]:8443 |                  | aarch64      | celestis       | LibreComputer Potato      | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| delmak   | https://[2602:fc62:b:100::205]:8443 | database         | aarch64      | delmak         | Qualcomm Centriq 2400     | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| entak    | https://[2602:fc62:b:100::201]:8443 | database         | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| madrona  | https://[2602:fc62:b:100::202]:8443 | database-leader  | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| vorash   | https://[2602:fc62:b:100::203]:8443 | database-standby | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: full-mesh
stgraber@dakara:~$ lxc cluster edit athos
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: full-mesh
stgraber@dakara:~$ lxc cluster edit delmak
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: hub-client
stgraber@dakara:~$ lxc cluster list
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
|   NAME   |                 URL                 |      ROLES       | ARCHITECTURE | FAILURE DOMAIN |        DESCRIPTION        | STATE  |      MESSAGE      |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| asuras   | https://[2602:fc62:b:100::200]:8443 |                  | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| athos    | https://[2602:fc62:b:100::204]:8443 | event-hub        | x86_64       | athos          | Intel Xeon E5-2695v2 (2x) | ONLINE | Fully operational |
|          |                                     | database-standby |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| celestis | https://[2602:fc62:b:100::206]:8443 |                  | aarch64      | celestis       | LibreComputer Potato      | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| delmak   | https://[2602:fc62:b:100::205]:8443 | event-hub        | aarch64      | delmak         | Qualcomm Centriq 2400     | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| entak    | https://[2602:fc62:b:100::201]:8443 | database         | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| madrona  | https://[2602:fc62:b:100::202]:8443 | database-leader  | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| vorash   | https://[2602:fc62:b:100::203]:8443 | database-standby | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
stgraber@dakara:~$

Reworked lxc storage volume info

lxc storage volume info has been significantly reworked to provide an output much more in line with that of lxc info rather than the limited YAML output it was providing before.

It will now show details about the storage volume, its type, location, disk usage as well as any related snapshots and backups.

stgraber@dakara:~$ lxc storage volume info default foo
Name: foo
Type: custom
Content type: filesystem
Usage: 192.00KiB

Snapshots:
+-------+-------------+------------+
| NAME  | DESCRIPTION | EXPIRES AT |
+-------+-------------+------------+
| snap0 |             |            |
+-------+-------------+------------+

AppArmor profiles for image extractors

As an additional security layer, LXD now automatically generates a tempoary AppArmor profile whenever it unpacks an image or backup.

This protects LXD systems against potential attacks on tar, unsquashfs or any of the compression/decompression programs that those call. The profile only allows access to the paths required to read/write the image/backup and its content.

Grafana dashboard

LXD now ships with a Grafana dashboard.

You can either get the dashboard JSON directly from the LXD release tarball or perhaps more conveniently from the Grafana website.

grafana1|690x404

Learn more here: https://discuss.linuxcontainers.org/t/official-grafana-dashboard-for-lxd/13438

Degraded startup (missing disk)

LXD can now startup with one or more storage pools missing.
In this scenario, the storage pool will be held back and retried repeatedly in the background. All instances and volumes depending on that pool will similarly be blocked until the pool comes back online.

This should be useful both as a recovery mechanism when a storage pool dies for some reason as well as allowing some scenarios where one or more pools are on external media and may not be available at startup time.

Do note however that LXD upgrade operations will most likely require all pools be present, so it is still possible to see LXD to fail startup due to missing storage pools when an upgrade migration step must be run across all instances and volumes.

restricted.containers.interception project option

A new project restriction option was introduced. restricted.containers.interception allows for the use of most security.syscalls.intercept options with the current exception of:

  • security.syscalls.intercept.mount.allowed
  • security.syscalls.intercept.mount.shift

Setting this option to allow will make it possible for users to enable system call interception on their instances, making it easier to run some workloads like Docker.

Enabling this option does create an increased attack surface and good opportunity for Denial of Service attacks against the host system as each intercepted system call will cause a temporary task to be spawned on the host to perform the request action in the instance.

Documentation: https://linuxcontainers.org/lxd/docs/master/projects/

core.metrics_authentication server option

A new server option was introduced to allow unauthenticated use of LXD's metrics API. When core.metrics_authentication is set to false, the metrics server running at the address set through core.metrics_address will no longer check the client certificate of the requestor and will return metrics for all projects.

This should only ever be used when proper TLS based authentication isn't possible and should be used in conjuction with firewalling to restrict what server can access the metrics endpoint.

Network interface name and MTU in virtual machines

A new configuration option, agent.nic_config, was introduced for Virtual Machines.

When set, the LXD agent running inside of the VM will rename and reconfigure the network interfaces at boot time so that their name and mtu properties as set in the LXD configuration get applied to the interface inside of the VM.

This gets the behavior much closer to that of a container but it's worth noting that VM images generally expect the network interface to be named enp5s0 and that using another name will most likely need changes to the network configuration of the instance.

I/O uring support for VM storage

LXD virtual machines now detect host support for IO_uring and if available and compatible with the storage pool in use, will have QEMU use it for block I/O.

This can lead to much faster I/O on compatible systems as well as reduced load on the host system.

ipv4.neighbor_probe and ipv6.neighbor_probe NIC options

In LXD 4.23, we introduced logic to detect an existing IPv4 or IPv6 address on startup for instances using a routed network interface. While this test usually makes sense and avoids potential misconfigurations, there are cases where it makes sense to turn it off.

For this reason, we've now introduced two new configuration keys to control this behavior:

  • ipv4.neighbor_probe
  • ipv6.neighbor_probe

Documentation: https://linuxcontainers.org/lxd/docs/master/instances/#nic-routed

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • lxd-agent: Fix bad copy/paste
  • lxd/daemon: Fix http response error typos
  • lxd-migrate: Support certificate tokens
  • lxd/util/http: Improves comment on CheckTrustState
  • lxd/util/http: Var naming clarity in CheckTrustState
  • lxd/daemon: Adds the trusted cluster member fingerprint to the request context username field in Authenticate
  • lxd/events/events: Adds EventSource type and constants
  • lxd/events/common: Removes localOnly concept from common listener
  • lxd/events/devlxdEvents: Removes isLocal concept
  • lxd/events/events: Replaces isLocal with excludeSources concept for AddListener
  • lxd/events: Updates d.events.AddListener usage with excludeSources
  • lxd-agent/events: Updates d.events.AddListener with excludeSources
  • test: Adds basic cluster event tests
  • lxd/events/events: Removes listener level location concept and replaces with server location concept
  • lxd-agent/events: d.events.AddListener usage to remove listener level location
  • lxd/events: Updates d.events.AddListener to remove listener location
  • lxd/cluster/events: Prevent concurrent running of EventsUpdateListeners
  • go.mod: bump github.com/mdlayher/vsock@v1.0.1
  • lxd/main_init_interactive: Add missing :
  • lxc/console: Don't crash on manual disconnect
  • doc/metrics: stop tuning job's scrape_interval now that results are cached 8s only
  • doc/metrics: don't assume any default scrape_interval value
  • lxd/response: Modernize FileResponse
  • lxd-agent: Update for FileResponse changes
  • lxd: Update for FileResponse changes
  • lxd/response: Rename FileModify to FileModified
  • lxd/fsmonitor/drivers: Ignore stale file handle errors.
  • lxd/apparmor: Remove state.State dependency from apparmor package
  • lxd/device: Remove state.State dependency from apparmor package
  • lxd/instance/drivers: Remove state.State dependency from apparmor package
  • lxd/network: Remove state.State dependency from apparmor package
  • lxd/storage/drivers/driver/zfs: Set all dataset mountpoint settings to legacy
  • lxd/cluster/membership: Run EventsUpdateListeners in NotifyHeartbeat in wait group
  • lxd/cluster/heartbeat: Only upsert member offline error in APIHeartbeat.Send if context not cancelled
  • lxd/cluster/heartbeat: Save member state gathered so far if heartbeat is cancelled
  • lxd/cluster/heartbeat: Comment improvement
  • lxd/cluster/heartbeat: Immediately ping remaining members when ctx is cancelled in APIHeartbeat.Send
  • lxd/cluster/gateway: Export HeartbeatLock
  • lxd/cluster/heartbeat: g.HeartbeatLock usage
  • lxd/cluster/heartbeat: Wait for ongoing heartbeat to finish in NotifyHeartbeat
  • lxc/config_trust: Support --name flag for tokens
  • client: Replace chConnected with ctxConnected
  • client/lxd/events: Updates SendEvent to use context deadline for timeout
  • test: Update clustering membership tests to not expect a specific promotion order of members
  • lxc/network_zone: Fix typo (entriess to entries)
  • lxc/cluster: Fix typo (doest to does)
  • i18n: Update translation templates
  • test: Update cluster rebalance tests to not use member specific role logic
  • test: Add cluster show to failure domains test to capture cluster state on intermittent test failure
  • shared/api/url: Add WithQuery
  • lxd/daemon: Run nodeRefreshTask inside cluster.EventsUpdateListeners as part of wait group
  • lxd/cluster/heartbeat: Fix comment
  • client: Introduce DoHTTP
  • client: DoHTTP usage
  • lxc/query: Use DoHTTP
  • lxd/api_metrics: Rename resp to metricSet
  • lxd/api_metrics: Support target
  • doc/rest-api: Refresh swagger YAML
  • lxd/certificates: Fix token generation over HTTPS
  • lxd/cgroup: Fix bad cpuset check
  • lxc/cluster_group: Update long descriptions
  • i18n: Update translation templates
  • lxd/device/nic/routed: Comment ending
  • lxd/device/nic/routed: Moves parent and vlan check to validation
  • lxd/device/nic/routed: Remove feature check of liblxc as no longer depends on it
  • lxd/device/nic/routed: Adds d.effectiveParentName to cache result from network.GetHostDevice
  • lxd/device/nic/routed: Fixes bug where if vlan effective interface didn't exist start would fail
  • lxd/device/nic/routed: Align with macvlan logic for setting up vlan interface
  • lxd/device/nic/routed: Delete created VLAN device on start failure
  • lxd/device/nic/routed: Use d.effectiveParentName for consistent in postStop
  • lxd/device/nic/routed: Adds missing comment to checkIPAvailability
  • lxd/device/device/utils/network: Sets ARP probe timeout based on context deadline in isIPAvailable
  • lxd/device/device/utils/network: Removes use of unnecessary go routines in isIPAvailable
  • lxd/device/device/utils/network: Change isIPAvailable signature to return bool for found and separate probe errors
  • lxd/device/nic/routed: Updates checkIPAvailability to use updated isIPAvailable
  • test: Adds test for routed vlan without parent
  • test: Adds routed NIC test for VLAN parent interface creation
  • doc/metrics: use secp384r1 curve with SHA384 signature
  • lxd/device/nic/routed: Adds ipv{n}.neighbor_probe option
  • doc: Adds routed NIC ipv{n}.neighbor_probe setting
  • lxd/device/nic/bridged: Update setupHostFilters to return a reverter
  • lxd/device/nic/bridged: Only call d.removeFilters in postStop if filtering enabled
  • api: Adds instance_nic_routed_neighbor_probe extension
  • test: Adds tests for routed NIC IP available detection
  • test: Fix incorrect command in clustering_failure_domains
  • test: Fix profile leak
  • lxd/instance/qemu: Allow live update of cluster.evacuate
  • lxd/certificates: Better handle authentication
  • lxd/db/node: Adds ClusterRoleEventHub constant and ID entry
  • lxd/db/node: Removes unused functions RemoveNodeRole and CreateNodeRole
  • lxd/db/node: Changes Roles field type to []ClusterRole in NodeInfo struct
  • lxd/db/node: Error formatting
  • lxd/cluster/heartbeat: Adds supplementary non-database member role info to heartbeat
  • lxd/cluster/events: Populate heartbeat member roles from DB in EventsUpdateListeners
  • lxd/cluster/events: Adds eventHubMinHosts constant
  • lxd/cluster/events: Adds EventMode type and constants
  • lxd/cluster/events: Adds ServerEventMode function
  • lxd/cluster/events: Adds RoleInSlice function
  • lxd/cluster/events: Updates EventsUpdateListeners to only connect to event-hub servers
  • lxd/cluster/events: Rework listener connect notification to support hub addresses
  • lxd/cluster/events: Store remote event listener client in eventListenerClient type.
  • lxd/cluster/events: Use localAddress rather than networkAddress var name
  • lxd/cluster/events: Adds SetEventMode to eventListenerClient
  • lxd/cluster/events: Ensure logging inside EventsUpdateListeners is done outside of listenersLock lock
  • lxd/cluster/events: Log an error when there are no active cluster event listeners
  • lxd/cluster/events: Adds EventHubPush function
  • lxd/events/events: Adds InjectFunc type
  • lxd/cluster/events: EventsUpdateListeners InjectFunc usage
  • lxd/events/events: Renames Forward to Inject to better reflect what it does
  • lxd/events/events: Adds NotifyFunc support
  • lxd/events/events: Adds ability to exclude events from certain locations from being broadcasted
  • lxd/api/cluster: Trigger notify heartbeat on event-hub member change in updateClusterNode
  • lxd/cluster/membership: state.Events.Inject usage
  • lxd/daemon: d.events.Inject usage
  • lxd/daemon: Wires up cluster.EventHubPush to events.NewServer notify handler
  • lxd-agent/daemon: events.NewServer usage
  • lxd-agent/events: d.events.AddListener excludeSources usage
  • lxd/events: Adds support for receiving events from cluster members in eventsSocket
  • shared/api/server: Adds ServerEventMode to ServerEnvironment
  • lxd/api/1.0: Populates ServerEventMode in server environment struct
  • api: Adds event_hub API extension
  • doc/rest-api: Refresh swagger YAML
  • lxd/cluster/events: Move state update in EventsUpdateListeners to end
  • lxd/cluster/events: log No active cluster event listeners
  • test: Updates clustering events tests to with event-hub support
  • test: Fix clustering_handover test to not expect a certain member promotion order
  • shared/validate: Moves ValidHostname to validate package.
  • shared/validate: Adds IsDeviceName, refactoring logic from IsHostname.
  • lxd/device: Ensures device names are valid when validating config and instantiating.
  • shared/idmap: Add SysProcIDMap functions
  • lxd/storage: Sync before snapshotting
  • lxd/main_forkfile: Replace with SFTP server
  • lxd-agent: Replace file API with SFTP
  • gomod: Add pkg/sftp
  • lxd/instance: Add FileSocket to the interface
  • lxd/instance/lxc: Implement FileSocket
  • lxd/instance/qemu: Implement FileSocket
  • lxd/instance: Add FileSFTP to the interface
  • lxd/instance/lxc: Implement FileSFTP
  • lxd/instance/qemu: Implement FileSFTP
  • lxd/instance: Remove FilePull
  • lxd/instance: Remove FileRemove
  • lxd/instance: Remove FileExists
  • lxd/instance: Remove FilePush
  • lxd/instance/lxc: Port to using FileSFTP
  • lxd/instance_file: Port to SFTP
  • gomod: Update dependencies
  • shared/util: IsTrue description
  • shared/util: Adds IsTrueOrEmpty function
  • shared/util: IsFalse description
  • shared/util: Adds IsFalseOrEmpty function
  • lxd/device/nic/routed: shared.IsTrueOrEmpty usage
  • lxd/device/disk: Use shared.IsTrueOrEmpty and shared.IsFalseOrEmpty
  • lxd/device/disk: Replace use of !shared.IsTrue with shared.IsFalseOrEmpty for security.shifted
  • lxd/device/gpu: Replace !shared.IsTrue shared.IsFalseOrEmpty for nvidia.runtime
  • lxd/device/nic: Replace !shared.IsTrue with IsFalse or IsFalseOrEmpty
  • lxd/device/proxy: Replace !shared.IsTrue with shared.IsFalseOrEmpty
  • lxd/storage: Adds allowInconsistent to pool interface RefreshInstance signature.
  • lxd: Passes allowInconsistent from instanceCreateAsCopyOpts into pool.RefreshInstance.
  • lxd/storage: Uses allowInconsistent in call to MigrateInstance on refresh.
  • lxd/storage/filesystem: Add SyncFS
  • lxd/storage: Use filesystem.Syncfs
  • lxd/storage/drivers: Replace !shared.IsTrue with shared.IsFalse for rsync.compression option
  • lxd/storage/drivers/driver/ceph: Replace !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
  • lxd/storage/drivers/driver/lvm: Replaces !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
  • lxd/storage/drivers/driver/zfs/volumes: Replace !shared.IsTrue with shared.IsFalse for zfs.clone_copy
  • lxd/storage/drivers/zfs: Replace !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
  • lxd/api/cluster: Replace !shared.IsTrue with shared.IsFalseOrEmpty for features.networks
  • lxd/api/project: Replace !shared.IsTrue with shared.IsFalse for features.profiles
  • lxd/devlxd: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.devlxd.images
  • lxd/instance: Replace shared.IsTrue with shared.IsFalseOrEmpty for snapshots.schedule.stopped
  • lxd/patches: Replace !shared.IsTrue with shared.IsFalse
  • lxd/apparmor/instance: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.privileged
  • lxd/instance/drivers/driver/lxc: Replace !shared.IsTrue with !shared.IsFalseOrEmpty for security.idmap.isolated
  • lxd/instance/drivers/driver/lxc: Replace !shared.IsTrue with shared.IsFalse for limits.memory.swap
  • lxd/dnsmasq/dhcpalloc: Replaces !shared.IsTrue with shared.IsFalseOrEmpty for ipv6.dhcp.stateful
  • lxd/instance/drivers/driver/qemu: Replaces !shared.IsTrue with shared.IsFalseOrEmpty for migration.stateful
  • lxd/instance/instance/utils: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.privileged
  • lxd/networ/driver: Replace !shared.IsTrue with shared.IsFalseOrEmpty for ipv{n}.nat
  • lxd/network/driver/bridge: Replace !shared.IsTrue with shared.IsFalseOrEmpty ipv6.dhcp.stateful
  • lxd/network/driver/ovn: Replace !shared.IsTrue with shared.IsFalseOrEmpty for restricted option for projects
  • lxd/network/driver/ovn: Replace !shared.IsTrue with IsFalse for ipv{n}.dhcp
  • lxd/network/driver/physical: Replace !shared.IsTrue with shared.IsFalseOrempty for volatile.last_state.created
  • lxd/network/zone: Replace shared.IsTrue usage for NAT logic
  • lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalse for features.images
  • lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.idmap.isolated
  • lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalseOrEmpty for restricted
  • lxd/seccomp: Replace !shared.IsTrue with shared.IsFalseOrEmpty for syscall interception settings
  • lxd/instance/drivers/driver/qemu: Replace !shared.IsFalse with shared.IsTrueOrEmpty for security.secureboot
  • test: Adds check for negated shared.Is(True|False)*() function calls
  • test: Exclude .git dir from static grep checks
  • test: Removes reference to non-existent package shared/subtest
  • lxd/db/generate: Fix bad loop logic
  • lxd/instance/lxc: Use contextual logger in Metrics
  • doc: add Open Graph metadata
  • doc: use bugfix for Open Graph Sphinx extension
  • lxd/storage: Moves PathNameEncode and PathNameDecode to filesystem package
  • lxd/storage/drivers/driver/btrfs/volumes: filesystem.PathNameEncode usage
  • lxd/device: filesystem.PathNameEncode and filesystem.PathNameDecode usage
  • lxd/dnsmasq/dnsmasq: Update dnsMasqEntryFileName to use storageDrivers.PathNameEncode to escape device name
  • lxd/device/device/load: Update New to return device even if name validation fails
  • shared/validate/validate: Relax IsDeviceName checks
  • test: Adds missing device name validation tests
  • doc: fix Open Graph version
  • lxd/dnsmasq: Adds staticAllocationDeviceSeparator const
  • lxd/dnsmasq: Renames dnsMasqEntryFileName to StaticAllocationFileName
  • lxd/dnsmasq: StaticAllocationFileName usage
  • lxd/dnsmasq: StaticAllocationFileName test
  • lxd/dnsmasq: Removes Name and Static field and replaces with StaticFileName field
  • lxd/dnsmasq: Updates DHCPStaticAllocation to just accept a deviceStaticFileName
  • lxd/dnsmasq: Update DHCPAllAllocations to use StaticFileName field
  • lxd/dnsmasq: DHCPStaticAllocation usage
  • lxd/dnsmasq/dhcpalloc: Updates getDHCPFreeIPv4 and getDHCPFreeIPv6 to accept deviceStaticFileName argument
  • lxd/network/network/utils: dnsmasq.DHCPStaticAllocation updated usage with deviceStaticFileName
  • lxd/device/nic/bridged: dnsmasq.DHCPStaticAllocation updated usage with deviceStaticFileName
  • lxd/apparmor: AppArmor support for extractors
  • lxd/archive: Add archive package
  • shared/subprocess: Support for file descriptors
  • lxd/backup: AppArmor support for extractors
  • lxd: AppArmor support for extractors
  • lxd/storage/drivers: AppArmor support for extractors
  • lxd/storage: AppArmor support for extractors
  • shared: Move Unpack to lxd/archive
  • lxd/db/warnings/types: Removes unused WarningTypes and population code
  • lxd/warnings: Renames ResolveWarningsOlderThan to ResolveWarningsByLocalNodeOlderThan
  • lxd/daemon: warnings.ResolveWarningsByLocalNodeOlderThan usage
  • lxd/warnings: Fix entityID logic bugs in resolve and delete functions
  • shared: Adds agent.rename_interfaces config key for VMs.
  • lxd/device/config: Adds NicConfig struct for passing data into VM.
  • lxd/device/bridged: Returns interface MTU as part of run configuration.
  • lxd/instance/drivers: Writes nic data to VM config share.
  • lxd-agent: Reads nic configuration and applies it at startup.
  • doc: Adds agent.rename_interfaces config key.
  • api: Adds agent_rename_interfaces extension.
  • lxd/db/query/dump: Add context param to query.Dump
  • lxd/db/query/transaction: Add TransactionCtx
  • doc: fix the footer
  • lxd/device/config/device/runconfig: Long form import
  • lxd/device/config/device/runconfig: Adds NICConfigDir constant
  • lxd/device/config/device/runconfig: Adds DeviceName and NICName to NICConfig struct
  • lxd-agent/network: Updates NIC config parsing to use map of deviceConfig.NICConfig
  • lxd/instance/drivers/driver/qemu: deviceConfig.NICConfigDir usage
  • doc: Fix cert pathing in metrics.md
  • lxd/instance/drivers/driver/qemu: Escape the NIC device name in QEMU config with filesystem.PathNameEncode
  • lxd/instance/drivers/driver/qemu: Use proper quoting in error from addNetDevConfig
  • lxd/instance/drivers/driver/qemu: Removes device name used as nic name in addNetDevConfig
  • lxd/instance/drivers/driver/qemu: Reworks writeNICDevConfig
  • lxd/device/device/utils/network: Reworks networkCreateVethPair and networkCreateTap to return MTU value used
  • lxd/device/nic/bridged: networkCreateVethPair and networkCreateTap usage
  • lxd/device/nic/ovn: networkCreateVethPair and networkCreateTap usage
  • lxd/device/nic/p2p: networkCreateVethPair and networkCreateTap usage
  • lxd/device/nic/routed: networkCreateVethPair and networkCreateTap usage
  • lxd/device/nic/routed: Adds missing name property for VM device
  • lxd/device/nic/routed: Make routed NIC hotpluggable
  • lxd/device/nic/macvlan: Adds support for mtu applying via lxd-agent in VMs
  • test: Work around very intermittent ip: RTNETLINK answers: File exists error
  • api: Renames agent_rename_interfaces to agent_nic_config
  • lxd: Rename agent.rename_interfaces to agent.nic_config
  • doc/instances: Removes trailing whitespace
  • lxd/util/sys: Move RuntimeLiblxcVersionAtLeast to instance package
  • lxd/util/sys: Move GetIdmapSet to shared/idmap
  • lxd/db/generate: Add leftjoin support
  • lxd/db/generate: Adds coalesce support for joined fields
  • lxd/db/generate: Removes white space
  • lxd/db/generate/db/mapping: Adds WarningStatus and WarningType to column types
  • lxd/db/generate/db/stmt: Update filter generation to use []string for where statement
  • lxd/db/generate/db/stmt: Ensure coalesced fields are fitered on their coalesced value
  • lxd/db/warnings: Uses DB generator for warnings functions
  • lxd: tx.GetWarnings usage
  • lxd/instance/drivers/driver/common: tx.DeleteWarnings usage
  • lxd/db/warnings: Avoid duplication results in UpsertWarning
  • lxd/instance/qemu: Properly wrap error
  • lxd/instance: Introduce Info.Features
  • lxd/instance/qemu: Add checkFeature
  • lxd/instance/qemu: Detect and use io_uring
  • lxd/instance/drivers/driver/lxc: Remove duplicate import of github.com/lxc/lxd/lxd/storage
  • lxd/instance/test: Fix inconsistent import name of github.com/lxc/lxd/lxd/storage
  • shared/api/storage/pool: Adds StoragePoolStatusUnvailable constant
  • lxd/db/warnings/types: Adds WarningStoragePoolUnvailable, description and severity
  • lxd/storage: Update setupStorageDriver to retry initializing failed pools
  • lxd/storage/pool/interface: Adds ToAPI
  • lxd/storage/backend/mock: Implements ToAPI
  • lxd/storage/backend/lxd: Implements ToAPI
  • lxd/storage/backend/lxd: Adds unavailablePools variable and maintains via Mount function result
  • lxd/storage/backend/lxd: Description typo for GetVolume
  • lxd/storage/backend/lxd: Update LocalStatus to return StoragePoolStatusUnvailable if not initialised locally
  • lxd/storage/pools: Switch to loading pool and using the ToAPI and LocalStatus functions
  • lxc/storage: Add STATE column output even in non-clustered environment
  • lxd/storage/backend/lxd: Adds isStatusReady function to check if pool is ready for use
  • lxd/storage/backend/lxd: Delete persistent warnings on pool delete
  • lxd/storage/load: Adds Patch function
  • lxd/patches: Updates patchGenericStorage to call storagePools.Patch()
  • lxd/storage/utils: Adds logging to ImageUnpack
  • lxd/apparmor/archive: Adds additional permissions for unsquashfs to apparmor profile
  • lxd/archive/archive: Don't use supplementary unpacker command
  • lxd/archive/archive: Better return structure (golint)
  • lxd/archive: Improve error and logging in Unpack
  • lxd/instance/drivers/driver/qemu: Fix VM support detection regression
  • lxd/instance/qemu: Fix incorrect comment
  • lxd/instance/qemu: Disable io_uring on loop pools
  • lxd/instance/qemu: io_uring naming consistency
  • lxd/apparmor: Allow rw remount of /run
  • Add the Grafana dashboard (15726)
  • shared/tcp/tcp/timeouts: Adds tcp package with functions for setting timeouts
  • lxd: github.com/lxc/lxd/shared/tcp usage
  • lxd/util/net: Removes TCP timeout functions
  • test: Wait longer for second node to be demoted
  • lxd/network/driver/common: Fix typos in errors
  • lxc/storage_volume: Fix list of default columns
  • i18n: Update translation templates
  • lxd/warnings: Removes unused functions
  • lxd/network/driver/bridge: As network ID is globally unique, delete warnings by ID on delete
  • lxd/networks: Removes duplicated warnings delete call
  • lxd/network/driver/bridge: Don't refresh BGP prefixes during forward update
  • lxd/bgp: Fix RemovePrefixByOwner when multiple matches
  • doc: whitespace changes
  • doc: moving content
  • shared/tcp/tcp/timeouts: Adds support for using net.TCPConn directly with ExtractConn
  • client/lxd: Adds setURLQueryAttributes function
  • lxd/instance/drivers/driver/qemu: Close connection on client error in FileSFTP
  • lxd/instance/drivers/driver/lxc: Close connection on client error in FileSFTP
  • Replace github.com/pkg/errors with fmt and errors
  • Replace errors.Unwrap() with errors.Is()
  • Use %w in fmt.Errorf to wrap errors
  • gomod: Update dependencies
  • i18n: Update translation templates
  • test: Update godeps.list
  • lxd/db/query: Fix IsRetriableError
  • doc: add some headings
  • lxd/instance/sftp: Adds /1.0/instances//sftp handler
  • client/interfaces: Adds GetInstanceFileSFTP and GetInstanceFileSFTPConn to InstanceServer
  • client/lxd/instances: Adds SFTP support to ProtocolLXD
  • lxc/file: Adds mount command
  • test/godeps.list: Updates godeps
  • i18n: Update translation templates
  • doc/rest-api: Refresh swagger YAML
  • lxd/device/disk: Store the storage pool inside device to avoid repeated DB queries
  • lxd/device/disk: Return VM mount directio and loop backed options
  • lxd/instance/drivers/driver/qemu: Detect io_uring support for root and custom block volumes
  • doc: update Network ACLs documentation
  • doc: add required links
  • doc: whitespace changes
  • doc: move content
  • doc: add some headings
  • doc: update network forwards documentation
  • lxd/task/group: Clarify message about tasks still running
  • lxd/daemon: Error not checked from ResolveWarningsByLocalNodeOlderThan
  • lxd/device/disk: Remove duplicated import
  • lxd/storage/backend/lxd: Don't try mounting volumes if pool not available
  • lxd/storage: Add and use error ErrPoolUnavailable
  • lxd/instance/drivers: Moves shared storagePool var into common
  • lxd/storage/load: Adds UnavailablePools function
  • lxd/storage: Update setupStorageDriver to call instancesStart when pool is subsequently initialised
  • lxd/instances: Updates instancesStart to check disk pools are available
  • lxd/instance/drivers/driver/qemu: Improve secureboot needs to be disabled error
  • lxc/file: Adds support for setting up local SFTP server for mount command
  • i18n: Update translation templates
  • lxd/device/disk: Detect disk pool VM mount options using single call to os.Stat
  • lxd/network/openvswitch/ovn: Update LogicalRouterRoutes to support recent versions of ovn
  • seccomp: pass a pidfd to process_still_alive
  • lxd/apparmor/archive: Expand all paths
  • lxd/instance/qemu: Switch TPM mode to CRB
  • lxc/storage_volume: Tweak error message
  • lxc/storage_volume: Align info with lxc info
  • i18n: Update translation templates
  • doc/instances: Fix missing escaping
  • api: projects_restricted_intercept
  • lxd/projects: Add restricted.containers.interception
  • lxd/project: Add restricted.containers.intercept
  • doc: Add restricted.containers.interception
  • scripts: Add restricted.containers.interception
  • tests: Validate restricted.containers.interception
  • lxd/node: Fix typo in metrics_address description
  • api: metrics_authentication
  • lxd/cluster: Add core.metrics_authentication
  • lxd/metrics: Allow disabling authentication
  • doc/server: Add core.metrics_authentication
  • scripts/bash: Update completion for metrics
  • tests: Add test for core.metrics_authentication
  • lxd/device/device/utils/disk: Update DiskVMVirtiofsdStart to check sharePath is absolute
  • lxd/device/disk: Start virtfs-proxy-helper after virtiofsd
  • lxd/instance/drivers/driver/lxc: Disable idmapped mounts if LXD_SHIFTFS_DISABLE=true
  • lxd/instance/qemu: Disable hv_passthrough when migratable
  • lxd/apparmor: Attempt to deref exePath
  • grafana: fix project disk usage overview of the rootfs
  • grafana: use available bytes when computing rootfs used space
  • grafana: bump dashboard version
  • lxc/utils/sort: Move sorting helpers to utils package
  • lxc: Use utils package for sorting tables.
  • lxd/apparmor: Handle missing paths
  • lxd/instance/qemu: Set spawn=allow
  • lxd/instance_file: Add last-modified header
  • doc/rest-api: Refresh swagger YAML
  • lxd/instance_file: Fix gofmt
  • lxc/file: Adds --listen flag to mount command
  • i18n: Update translation templates
  • lxc/file: Check instance exists in mount SSH SFTP listener mode
  • test: Adds basic file mount SSH SFTP listener tests
  • lxd: Adds IdmappedMounts field to OS struct
  • lxd/db/generate/db/stmt: Add leftjoin support to naturalKeySelect
  • lxd/db/generate/db/stmt: Only join fields contained within natural key in naturalKeySelect
  • lxd/db/warnings: Use WarningExists from DB generator
  • lxd/device/nic: Lock concurrent access to networkSRIOVRestoreVF
  • lxd/device: Allow ipv{n}.address=none for managed networks.
  • lxd/device: Check ip{n}.address != none before allocating.
  • tests: Check that all protocols are blocked when ipv{n}.address=none
  • lxd/storage/drivers/generic/vfs: Pass --numeric-owner to tar unpack command
  • tests: Fix ordering in bridge filtering test
  • i18n: Update translations from weblate
  • gomod: Update dependencies
  • i18n: Update translations from weblate

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

LXD 4.23 has been released

12th of February 2022

Introduction

The LXD team is very excited to announce the release of LXD 4.23!

This is a very busy release with four major features and quite a lot more smaller features, not to mention a lot of bug fixes and performance improvements.

Enjoy!

New features and highlights

lxd-migrate replaces lxd-p2c

lxd-p2c which allowed for importing an existing system or filesystem tree into a LXD container using the migration API has been replaced by lxd-migrate.

The new tool takes what lxd-p2c supported and adds in:

  • Support for migrating disk images to LXD virtual machine
  • Support for more authentication methods
  • More fine grained overrides of network, storage, profiles and other configuration options

It otherwise remains a tool which can be statically built and only relies on rsync being present on the source system. The transfer is done through LXD's migration API and so can be done against any LXD server, local or remote.

Specification: https://discuss.linuxcontainers.org/t/lxd-unified-p2c-p2v-migration-tool/12903

Token based authentication

As part of our effort to strength LXD's API security, it is now possible to issue one-time token that allows a new client to interact with LXD. This is a much better alternative to using a shared trust password and is easier to handle than manually sending certificates around.

Similar to what was done with lxc cluster add, it is now possible to use lxc config trust add to issue a new token. This token includes connection information, the server certificate and a one time secret.

stgraber@castiana:~$ lxc config trust list
+------+------+-------------+-------------+------------+-------------+
| TYPE | NAME | COMMON NAME | FINGERPRINT | ISSUE DATE | EXPIRY DATE |
+------+------+-------------+-------------+------------+-------------+

stgraber@castiana:~$ lxc config trust add
Please provide client name: castiana
Client castiana certificate add token: eyJjbGllbnRfbmFtZSI6ImNhc3RpYW5hIiwiZmluZ2VycHJpbnQiOiI1N2FhYjFkMjNhMGRlODdjZmQxNzkwNzNkMDVlN2U5OGIyY2U2ZjRmNTM1NjVkYzUzOTY1MjQ1MzRkNWU1NjM0IiwiYWRkcmVzc2VzIjpbIjE3Mi4xNy4wLjE0MTo4NDQzIiwiWzI2MDI6ZmM2MjpiOjEwMDA6NDNhNjo2NTJlOmZlZjI6ZTg4Y10    6ODQ0MyIsIjEwLjEyOC4xOTIuMTo4NDQzIiwiW2ZkNDI6YWU1Zjo5OGFiOmE4MTY6OjFdOjg0NDMiXSwic2VjcmV0IjoiYjVmMzQwZmJlN2IxOWM3M2U2MDFjZTJkYTc4YzNhMTlhZDgwY2RmZDExZDRkOTA1YTg0ODE2MTE5NWI3YzIwNSJ9

stgraber@castiana:~$ lxc remote add my-server eyJjbGllbnRfbmFtZSI6ImNhc3RpYW5hIiwiZmluZ2VycHJpbnQiOiI1N2FhYjFkMjNhMGRlODdjZmQxNzkwNzNkMDVlN2U5OGIyY2U2ZjRmNTM1NjVkYzUzOTY1MjQ1MzRkNWU1NjM0IiwiYWRkcmVzc2VzIjpbIjE3Mi4xNy4wLjE0MTo4NDQzIiwiWzI2MDI6ZmM2MjpiOjEwMDA6NDNhNjo2NTJlOmZlZjI6ZTg4Y106ODQ0MyIsIjEwLjEyOC4xOTIuMTo4NDQzIiwiW2ZkNDI6YWU1Zjo5OGFiOmE4MTY6OjFdOjg0NDMiXSwic2VjcmV0IjoiYjVmMzQwZmJlN2IxOWM3M2U2MDFjZTJkYTc4YzNhMTlhZDgwY2RmZDExZDRkOTA1YTg0ODE2MTE5NWI3YzIwNSJ9

stgraber@castiana:~$ lxc list my-server:
+-----------+---------+----------------------+-----------------------------------------------+-----------+-----------+
|   NAME    |  STATE  |         IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+-----------+---------+----------------------+-----------------------------------------------+-----------+-----------+
| lxd-build | RUNNING | 10.128.192.40 (eth0) | fd42:ae5f:98ab:a816:216:3eff:fe28:c0a6 (eth0) | CONTAINER | 0         |
+-----------+---------+----------------------+-----------------------------------------------+-----------+-----------+

stgraber@castiana:~$ lxc config trust list
+--------+----------+------------------+--------------+-------------------------------+-------------------------------+
|  TYPE  |   NAME   |   COMMON NAME    | FINGERPRINT  |          ISSUE DATE           |          EXPIRY DATE          |
+--------+----------+------------------+--------------+-------------------------------+-------------------------------+
| client | castiana | UNKNOWN@castiana | 6f5a027652fb | Nov 16, 2021 at 12:27am (UTC) | Nov 14, 2031 at 12:27am (UTC) |
+--------+----------+------------------+--------------+-------------------------------+-------------------------------+

You'll note that the client never had to provide the server address, validate the server fingerprint or provide a password as all of that is part of the token. A token can be restricted to a set of project at the time of creation, making this ideal for enrolling new users into a shared environment.

Specification: https://discuss.linuxcontainers.org/t/lxd-token-based-remote-connection/13114
Documentation: https://linuxcontainers.org/lxd/docs/master/authentication/#adding-client-certificates-using-tokens

Custom DNS records in network zones

Network zones were first introduced as a way to easily get auto-generated forward and reverse DNS records for LXD instances.

Now it's also possible to manually add additional DNS records to those zones.
This is done through lxc network zone record or the matching API.

Those records can be particularly useful if doing DNS validation for services like Let's Encrypt or when performing domain validation with some kind of 3rd party service.

Specification: https://discuss.linuxcontainers.org/t/lxd-custom-dns-records-in-network-zones/13128
Documentation: https://linuxcontainers.org/lxd/docs/master/network-zones/#custom-records

Image requirements

LXD image can now make use of special properties to indicate requirements to LXD.

The initial implementation comes with two of those:

  • requirements.cgroup
  • requirements.secureboot

The former can be used to tell LXD that a particular image requires some kind of cgroup tree.
This currently only supports v1 as a value which will have LXD check that the host system still supports CGroupV1 (a common issue when running distributions such as CentOS 7 or Ubuntu 16.04 on a modern system which relies on cgroup2).

The latter can be set to false to indicate that the image cannot boot when secureboot is enabled.

In both cases, LXD will perform those checks on instance start and fail an error should the requirements not be met.

stgraber@castiana:~$ lxc launch images:centos/7 c1
Creating c1
Starting c1                                 
Error: The image used by this instance requires a CGroupV1 host system

Documentation: https://linuxcontainers.org/lxd/docs/master/image-handling/#special-image-properties

Network ACL log access (OVN)

When using network ACLs on an OVN network, it is possible to set the rule state to logged so that any traffic hitting the rule causes a log entry.

Those log entries show up in the OVN log of the system running the instance affected.
Unfortunately, the OVN log isn't always super readable, not to mention, unprivileged users will not have access to it.

That's why we're now adding an API and matching CLI to retrieve the log entries related to a particular ACL.

root@abydos:~# lxc network acl show-log unifi
{"time":"2022-02-12T06:01:26Z","proto":"tcp","src":"45.45.148.253","dst":"45.45.148.3","src_port":"33556","dst_port":"22","action":"reject"}
{"time":"2022-02-12T06:01:26Z","proto":"tcp6","src":"2602:fc62:b:1000:43a6:652e:fef2:e88c","dst":"2602:fc62:a:1::3","src_port":"52590","dst_port":"22","action":"reject"}

Specification: https://discuss.linuxcontainers.org/t/lxd-network-acl-logging/13223

Network state support for OVN

The network state API has now been made to work with OVN.

Concretely, this means that lxc network info now works against an OVN network.

VLAN ranges in vlan.tagged

The vlan.tagged configuration option always supported multiple VLANs as a comma separated list.
While this worked well for most environments, those dealing with a large number of VLANs tend to be more used to ranges.

As a result, LXD now supports using VLAN ID ranges by setting vlan.tagged to something like 10,50,1000-2000.

Server side filtering of storage volumes

Joining the existing instances and images APIs, the storage-volumes API now supports server-side filtering. It's possible to filter on volume name, type, configuration and have the API return snapshots or not.

Documentation: https://linuxcontainers.org/lxd/docs/master/rest-api/#filtering

zfs.export storage pool configuration

A new zfs.export storage pool configuration option was introduced to control the ZFS pool export behavior on LXD shutdown.

By default, LXD will call zpool export on any storage pool that it fully owns, whether it's created on a loop disk or using a dedicated disk/partition.

With this option, it's possible to have LXD keep the zpool loaded in such cases.

zfs.reserve_space storage volume configuration

Another ZFs configuration addition is zfs.reserve_space which can be set on a volume and will have ZFS guarantee that the allocated disk space is available to that instance.

This can be particularly useful for critical services which you cannot afford to have run out of disk space should other instances on the system run you out of space.

zfs.blocksize storage volume configuration

One last ZFS configuration option is zfs.blocksize which can also be set on storage volumes and controls the block size or record size used. Tweaking this value can be quite helpful to either limit waste when dealing with a lot of very small files or to improve throughput when dealing with very large files.

@never option for snapshot schedule

Lastly, a new snapshot scheduling option @never was introduced.
This can be used to break inheritance of snapshots.schedule.

If snapshots.schedule is set in a profile and you want one instance using that profile to not perform snapshots, then setting snapshots.schedule to @never on the instance itself will do the trick.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • doc: fix language in SECURITY.md
  • lxd/dnsmasq: Append device name to dnsmasq entry file name.
  • Take extra precautions when calling tar
  • lxd: Applies patch to add device names to dnsmasq files.
  • test: Updates test suite to append device names to dnsmasq files.
  • doc: Adds note about newuidmap to machine setup.
  • lxd/instances: Don't check limits on restore
  • tests: Validate snapshots on limited projects
  • test: Fixes number of expected NAT rules when using xtables driver.
  • lxc/config/file: allow overriding default remote by env variable
  • doc/environment: add new LXC_REMOTE variable
  • test: Ensure ebtables is legacy when driver is xtables.
  • client: Addd GetInstanceFull
  • lxc/info: Port to using GetInstanceFull
  • lxc/list: Add InstanceFull shortcut
  • client: Add WithContext
  • client: Add context-aware connection functions
  • lxd/instance: Allow stopping during evacuation
  • lxd/cluster: Don't start the instance after live-migration
  • lxd/cluster: Add evacuateClusterSetState
  • lxd/cluster: Use instance architecture instead of cluster member
  • lxd/cluster: Use evacuateClusterSetState
  • lxd/cluster: Fix incorrect reverter
  • lxd/cluster: Fix live-migrate on restore
  • lxd/instance/qemu: Extend live updatable config keys
  • lxd: Refresh all dnsmasq hosts during patch.
  • lxd/instance/drivers: Adds getRootDiskDevice function to common driver.
  • lxd/instance/drivers: Performs disk size check on stateful startup.
  • doc: add a security summary and include it where needed
  • doc: add an authentication section
  • doc: clean up security documentation
  • doc: add styling for abbreviations
  • doc: fix loading of substitutions
  • Growing a loop backed btrfs pool fix snap path
  • doc: use absolute URL for Swagger
  • doc: swagger: hide link to yaml file
  • lxd/db: Import ordering
  • lxd/db: Fix volume sequence regression
  • doc: clean up links in README
  • doc: move missing content from SUPPORT.md to README.md
  • doc: add a support page and include it
  • doc: move SUPPORT.md to .github folder
  • doc: add a link to the Code of Conduct
  • doc: fix link to support documentation
  • doc: fix broken links
  • lxd/network: Adds State function to interace with common implementation.
  • lxd: Call the networks 'State' function if it can be loaded.
  • shared/validate: Introduce ParseNetworkVLANRange
  • lxd/device: Introduce networkVLANListExpand
  • lxd/device/nic: Enable VLAN ranges in vlan.tagged
  • tests: Add tests for VLAN ranges
  • doc/instances: Mention support for ranges in vlan.tagged
  • lxd/device/nic: Fix VLAN range validation
  • shared/validate: Align ParseNetworkVLANRange with ParseUint32Range
  • lxd/device: Update for ParseNetworkVLANRange change
  • lxd/storage/btrfs: Add volume delete shortcut
  • shared/api: Fix typo
  • doc/rest-api: Refresh swagger YAML
  • client: Fix bad arg naming in zone functions
  • doc: enable automatically generated anchors
  • lxd/db: Fix storage_volumes sequence again
  • lxd: Use projectParam function in networkStateGet.
  • shared/api: Adds OVN network state to api response.
  • lxd/network/openvswitch: Adds methods for extracting OVN data.
  • lxd/network: Implements 'State' for the ovn driver.
  • api: Add network_state_ovn extension.
  • doc/rest-api: Update swagger YAML.
  • lxd/network/acl: Port to using fmt.Errorf
  • lxd/network/zone: Port to using fmt.Errorf
  • lxd/network/openvswitch: Port to using fmt.Errorf
  • lxd/network: Port to using fmt.Errorf
  • lxd/instance/lxc: Use absolute rootfs
  • lxd: Add server-side API filtering for storage volumes
  • api: Add storage_volume_api_filtering extension
  • doc/rest-api: Refresh swagger YAML
  • doc: Update rest api filtering doc
  • doc: kernel 5.15+ have sane value for net.core.bpf_jit_limit
  • api: Add image_restrictions extension
  • shared/simplestreams: Support image reqs metadata
  • doc: Add notion of image reqs
  • shared/util: Add IsFalse
  • lxd/drivers: Add secureboot & cgroup image reqs
  • doc: Add secureboot and cgroup image reqs
  • lxd: Add zfs.export
  • lxd/storage/drivers: Support zfs.export
  • doc/storage: Add zfs.export
  • api: Add storage_zfs_export extension
  • lxd/instance/qemu: Enable HyperV flags on x86_64
  • doc/storage: Ceph supports quotas
  • tests: Fix failure when shiftfs is skipped
  • lxd/instance/lxc: Fix mount injection on VFS idmap
  • lxd-agent: Fix bad network metric
  • lxd/endpoints/listeners: Add exportable listeners package
  • lxd/endpoints/starttls: Remove TLS methods from endpoints package
  • lxd/ucred/ucred: Use new listeners package
  • lxd/instance/qemu: Restrict HyperV flags to 5.10+
  • lxd/db: Fix stoarge_volumes sequence (again)
  • lxd/dns: Better handle errors
  • api: network_dns_records
  • shared/api: Add network zone record structs
  • doc/rest-api: Refresh swagger YAML
  • client: Add network zone records
  • lxc/network_zone: Add record sub-command
  • i18n: Update translation templates
  • lxd/db: Add the networks_zones_records tables
  • lxd/db: Add network zone records DB functions
  • lxd/lifecycle: Add network zone record events
  • lxd/network/zone: Add record functions
  • lxd/network: Add zone records API
  • lxd/network/zone: Extend template for TTL
  • lxd/network/zone: Add extra records to DNS
  • tests: Add tests for network zones records
  • doc/network-zones: Add section on custom records
  • doc: Fix typo in ZFS storage
  • api: storage_zfs_reserve_space
  • lxd/storage: Add zfs.reserve_space
  • doc/storage: Add zfs.reserve_space
  • scripts: Add zfs.reserve_space to completion
  • lxd/storage/drivers: Sets RunningCopyFreeze to true.
  • doc: add a target to serve the rendered docs
  • doc: add a doc README
  • doc: exclude README.md from doc build
  • lxd: Only patch dnsmasq for networks in the db.
  • lxd/storage/drivers: Factors out fast snapshot logic from volume backup.
  • lxd/storage/drivers: Uses fast snapshot as source of migration.
  • lxd/storage/drivers: Factors out fast snapshot logic from volume backup.
  • lxd/storage/drivers: Uses fast snapshot as source of migration.
  • lxd/storage: Freezes instances during migration.
  • lxc/exec: Don't terminate on SIGWINCH
  • lxd/events: Increase websocket pings to 10s
  • lxd/console: Fix error wrapping
  • lxc/console: Properly handle GUI exitting
  • lxc/console: Fix typo
  • lxd/storage/drivers: Fixes reverter usage.
  • lxd: Restart networks when enabling clustering
  • lxd/network/bridge: Skip HandleHeartbeat on missing forkdns
  • api: network_acl_log
  • client: Add GetNetworkACLLogfile
  • lxc/network_acl: Add show-log
  • i18n: Update translation templates
  • lxd/network/acl: Add log endpoint
  • doc/rest-api: Refresh swagger YAML
  • lxd/storage/drivers: Add support for zfs.blocksize config option
  • lxd: Add validation for volume.zfs.blocksize
  • doc: Add zfs.blocksize
  • api: Add storage_zfs_blocksize extension
  • doc: quick cleanup of FAQ
  • api: metrics_cpu_seconds
  • lxd/metrics: Convert to using float64
  • lxd/metrics: lxd_cpu_seconds_total is in seconds, not ms
  • lxd/storage: Expose GetVolume
  • lxd/instance/lxc: Fix filesystem metrics
  • lxd/db: Refactor storage pool used by to get info on all nodes.
  • lxd: Get storage pool used-by info from all nodes if target is unset.
  • lxc/storage: Parse and include node in used-by info.
  • Rename lxd-p2c to lxd-migrate
  • Makefile: s/lxd-p2c/lxd-migrate/
  • test/suites: s/lxd-p2c/lxd-migrate/
  • .github/workflows: s/lxd-p2c/lxd-migrate/
  • .gitignore: s/lxd-p2c/lxd-migrate/
  • lxd/device: Removes VM from list of supported instance types.
  • doc: Clarify multiple GPU device passthrough for VMs.
  • doc/metrics: switch to ECDSA with longer validity
  • doc/metrics: tune scrape_interval to deal with default caching done by LXD
  • doc/metrics: alpha sort prometheus.yml snippet
  • lxd/endpoints: Implements an io.Writer to skip certain input.
  • lxd/endpoints: Adds tests for the networkServerErrorLogWriter.
  • lxd/endpoints: Sets the network server logger when proxies are updated.
  • lxd/instance/lxc: Fix missing fs metrics on bind-mount
  • lxd/operations: Add ExtendMetadata
  • lxd/exec: Use ExtendMetadata
  • shared/api: Fix incorrect image aliases example
  • doc/rest-api: Refresh swagger YAML
  • doc: Add basic instance exec information
  • go.mod: use github.com/mdlayher/vsock@v1.0.0
  • lxd/instance/metrics: Fix incorrect memory metrics
  • lxd/db/generate/db/stmt: Add 'order' tag
  • lxd/db/instance/profiles: Use 'order' tag to order queries by apply order
  • lxd/db/instance/profiles.mapper: Update generated code
  • lxd/metrics: Invert condition as all existing metrics have labels
  • lxd/instance/lxc: Cast statfs.Bsize only once
  • lxd/instance/lxc: Only convert CPU ID once
  • lxd/instance/lxc: Cache labels in for loops
  • api: instance_snapshot_never
  • doc/instances: Add @never to snapshots.schedule
  • lxd: Add @never to snapshots.schedule
  • lxd/instance/qemu: Fix live update logic
  • lxd/instance/qemu: Fix agent-less memory metrics
  • lxd/instance/qemu/qmp: Remove GetMemoryStats
  • lxd/firewall/drivers/drivers/xtables: Don't attempt IPv6 RP filter if not enabled
  • lxd/network/driver/ovn: Don't attempt to configure IPv6 setting is not enabled
  • doc/instances: Fix bridged NIC ipv{n}.address docs indicating none is valid value
  • shared/util/linux: Add channel closed check before writing in ExecReaderToChannel
  • lxd/metrics: OpenMetrics says to end with EOL
  • lxd: Rename metrics to api_metrics
  • lxd/daemon: Drop metrics from main struct
  • lxd/metrics: Rework caching and locking
  • lxd/metrics: Reduce cache to 8s to accomodate 10s intervals
  • lxc/console: Don't write twice to sendDisconnect
  • doc/api-extensions: Remove trailing whitespaces
  • lxd: Check serverName in clusterMemberJoinTokenDecode
  • shared/api/cluster: s/Base64/base64/
  • lxd/certificates: Fix typo in comment
  • lxc/config_trust: Don't remove extension from cert
  • shared: Remove SplitExt
  • lxd/certificates: Rework certificate name logic
  • doc: download external images
  • doc: use local image
  • doc: add doc output to "make dist"
  • shared/api: Add CertificateAddToken
  • lxd/instance/drivers/driver/lxc: Reduce calls to VolatileSet to reduce DB transactions
  • lxd/instance/drivers/load: Removes unused cluster arg from validDevices
  • lxd/instance/drivers: instance.ValidDevices usage
  • lxd/instance/instance/utils: ValidDevices definition and usage
  • lxd/profiles/utils: instance.ValidDevices usage
  • lxd/profiles: instance.ValidDevices usage
  • lxd/project/permissions: Updates CheckClusterTargetRestriction to accept a project record
  • lxd/project/permissions/test: project.CheckClusterTargetRestriction usage
  • lxd/instances/post: project.CheckClusterTargetRestriction usage
  • lxd/instance/post: project.CheckClusterTargetRestriction usage
  • lxd/cluster/config: Add ImagesDefaultArchitecture function
  • lxd/instances/post: Uses config.ImagesDefaultArchitecture
  • shared/api: Add ToCertificateAddToken
  • shared/api: Add Token to CertificatesPost
  • api: Add certificate_token
  • shared: Add CertificateTokenDecode
  • lxd/db: Add OperationCertificateAddToken
  • lxd: Add certificateTokenValid
  • lxd: Support certificate tokens
  • client: Add CreateCertificateToken
  • lxc: Support client tokens in lxc config trust
  • lxc: Support client tokens in lxc remote add
  • lxc: Add lxc config trust list-tokens
  • lxc: Add lxc config trust revoke-token
  • lxc/cluster: Make member arg optional when adding member
  • test/suites/remote: Test client tokens
  • doc/authentication: Add tokens
  • i18n: Update translation templates
  • lxd/instance/instance/utils: Remove call to tx.ProjectExists in CreateInternal
  • lxd/instances/post: Removes unnecessary pool check in instancesPost
  • lxd/db/query/retry: Improve consistency of logging in Retry
  • lxd/instance/instance/utils: Comment fix
  • lxd/instance/instance/utils: Don't call ValidDevices multiple times during instance create
  • lxd/db/networks: Update network load functions to share transaction
  • lxd/instance/drivers: Merge expandDevices with expandConfig
  • lxd/instances/post: Renames targetProject to targetProjectName and p to targetProject
  • lxd/db/storage/pools: Reworks getStoragePool to use a single transaction internally
  • shared/api: Add ToClusterJoinToken
  • lxc/cluster: Switch to ToClusterJoinToken
  • lxc/cluster: Drop clusterJoinTokenOperationToAPI
  • lxc: Translate all errors
  • i18n: Update translation templates
  • lxd/db: Uses api.URL to build used-by urls for storage pools.
  • doc: fix path to image in the header
  • lxd/cluster/gateway: Enable TCP user timeout and connection closing on failure in dqliteNetworkDial
  • lxd/cluster/gateway: Improve logging in dqliteNetworkDial
  • lxd/cluster/gateway: Standardise logging naming of dqliteProxy and dqliteNetworkDial
  • lxc: Properly report alias add/update errors
  • i18n: Update translation templates
  • client: Update example to use instances
  • client: Clearly mark container functions as deprecated
  • lxd/cgroup: Add total_cache on V2
  • lxc/console: Rework concurency model for vga
  • lxd/instance/drivers/driver/qemu: Add check for lxd-agent running in getAgentClient
  • lxd/instance/drivers/driver/qemu: Remove duplicated lxd-agent running status check in agentGetState
  • lxd-agent: Updates startStatusNotifier to return a cancel function
  • lxd-agent: c.startStatusNotifier usage
  • lxd/instance/drivers/qmp/monitor: Add agentReadyMu for proper shared access to agentReady
  • lxd/instance/drivers/driver/qemu: Removed unused agentClient var
  • github: Update for current min Go version (1.16)
  • lxd-migrate: Create interactive tool
  • i18n: Update translations from weblate
  • doc/rest-api: Refresh swagger YAML
  • gomod: Update dependencies

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc

Older news